ErasureDocs
API Reference

SDK HTTP API

GET config and POST consent for publishable keys.

SDK HTTP API

Used by @erasurehq/anumati. Auth: publishable key.
Source: app_docs/sdk/API.md, app_docs/api.md, app_docs/guide/api.md.

Auth

Authorization: Bearer pk_live_…

Compatibility only (not recommended): ?key=pk_live_… may be accepted by the server. Do not use in examples. The SDK package does not send query keys.


GET /api/sdk/v1/config

Loads the published consent snapshot for the project bound to the key.

Caching: ETag from content hash; Cache-Control: public, max-age=60, stale-while-revalidate=600; If-None-Match304.

200 (shape from product SDK API docs):

{
  "projectId": "…",
  "version": {
    "id": "…",
    "number": 3,
    "publishedAt": "ISO-8601",
    "contentHash": "…",
    "consentHash": "…"
  },
  "config": {
    "purposes": [
      {
        "id": "…",
        "key": "analytics",
        "name": "…",
        "description": "…",
        "required": false,
        "categoryId": "…",
        "sortOrder": 0
      }
    ],
    "categories": [{ "id": "…", "name": "Essential", "sortOrder": 0 }],
    "notice": {
      "title": "…",
      "description": "…",
      "acceptLabel": "…",
      "rejectLabel": "…",
      "manageLabel": "…",
      "companyName": "…",
      "logoUrl": "…",
      "primaryColor": "…"
    }
  }
}
codeHTTP
invalid_key401
revoked_key403
no_published_version404
rate_limited429

Draft configuration is never returned.


POST /api/sdk/v1/consent

Append-only consent receipt (collection only — no list/search UI on this public surface).

Body:

{
  "versionId": "…",
  "consentHash": "…",
  "choices": {
    "analytics": true,
    "marketing": false
  },
  "timestamp": "2026-01-01T00:00:00.000Z",
  "sdkVersion": "0.1.0"
}

Server behaviour (documented):

  • Validate key → project
  • Validate body (Zod)
  • Version must belong to the project
  • consentHash must match the version’s computed consent surface
  • Insert append-only ConsentReceipt; never update/delete

timestamp is accepted but not stored (server createdAt is authoritative).
Do not send IP, email, fingerprint, or session identifiers.

201: { "ok": true, "id": "…", "createdAt": "…" }

codeHTTP
invalid_key401
revoked_key403
invalid_body400
invalid_version400
consent_hash_mismatch400

Publishable key management (operator session)

MethodPath
POST/api/platform/projects/:projectId/api-keys
GET/api/platform/projects/:projectId/api-keys
DELETE/api/platform/projects/:projectId/api-keys/:keyId

Full secret shown once on create; thereafter prefix only. Soft revoke via revokedAt (no hard delete).


Versioning policy (SDK / HTTP)

AxisPolicy
Package semvernpm @erasurehq/anumati
HTTP/api/sdk/v1 — breaking changes → /v2
ConfigurationOperator versionNumber 1, 2, 3…
Consent surfaceconsentHash — independent of cosmetic publishes

Additive JSON fields are non-breaking; SDK ignores unknown keys.


SDKs · Publishable keys