API Documentation
Scan websites for cookie compliance violations programmatically. Works in CI/CD pipelines, scripts, and automation.
Quick Start
Get your API key from your account, then scan any URL in seconds.
Get your API key
Sign up and your API key is shown immediately. It starts with cg_.
Run your first scan
curl -X POST https://cookieguardos.polsia.app/api/v1/scan \
-H "Authorization: Bearer cg_your_key_here" \
-H "Content-Type: application/json" \
-d '{"url": "https://your-site.com"}'Read the results
The response includes every cookie found plus any compliance violations. A "status": "pass" means you're clean.
Authentication
All API requests require your API key as a Bearer token in the Authorization header.
Authorization: Bearer cg_your_api_keyIf your key is invalid, you'll receive a 401 Unauthorized response. Sign up to get a key.
POST /api/v1/scan
Scans a URL for cookies and checks them against compliance rules (GDPR, ePrivacy). Returns within ~30 seconds.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| url | string | Yes | Full URL to scan (must include https://) |
{
"url": "https://example.com"
}Response Format
{
"success": true,
"scan_id": "scan_1234567890_abc123",
"url": "https://example.com",
"domain": "example.com",
"status": "fail", // "pass" or "fail"
"duration_ms": 813,
"cookies": [
{
"name": "_ga",
"domain": "example.com",
"path": "/",
"secure": true,
"httpOnly": false,
"sameSite": "lax",
"maxAge": 63072000
}
],
"violations": [ /* see Violations section */ ],
"summary": {
"cookie_count": 4,
"violation_count": 2,
"critical": 1,
"high": 1,
"medium": 0,
"low": 0
}
}Error Responses
| Status | Description |
|---|---|
| 400 | Missing or invalid URL |
| 401 | Invalid or missing API key |
| 422 | URL unreachable or timed out |
| 500 | Internal scan error |
Violations
Each violation in the violations array describes a compliance issue found.
{
"rule": "no-tracking-before-consent",
"severity": "critical", // critical | high | medium | low
"type": "consent", // consent | security | retention
"description": "Google Analytics cookie '_ga' set without consent...",
"cookie": "_ga",
"service": "Google Analytics",
"category": "analytics"
}Rules Checked
| Rule | Severity | Description |
|---|---|---|
| no-tracking-before-consent | critical / high | Tracking cookies (Google Analytics, Facebook Pixel, etc.) set before user consent |
| missing-samesite | medium | Cookie missing SameSite attribute |
| excessive-lifetime | medium | Cookie lifetime exceeds GDPR-recommended 13 months |
| missing-secure-flag | low | Cookie missing Secure flag on HTTPS site |
GitHub Action
Block PRs with cookie compliance violations automatically. Add one workflow file and every pull request gets scanned.
Setup
Add your API key as a GitHub Secret
Go to Settings → Secrets → Actions in your repo and add COOKIEGUARD_API_KEY with your key value.
Create the workflow file
Create .github/workflows/cookie-compliance.yml:
# Scans every PR for cookie compliance violations
name: Cookie Compliance
on:
pull_request:
branches: [main, master]
permissions:
pull-requests: write
jobs:
cookie-scan:
runs-on: ubuntu-latest
steps:
- name: Scan for cookie compliance
uses: Polsia-Inc/cookieguardos/github-action@main
with:
url: 'https://your-site.com'
api-key: ${{ secrets.COOKIEGUARD_API_KEY }}
fail-on-violations: 'true'
comment-on-pr: 'true'Open a pull request
The action automatically scans your URL and posts results as a PR comment. Violations block the merge (configurable).
GitHub Action Configuration
| Input | Required | Default | Description |
|---|---|---|---|
| url | Yes | — | URL to scan (e.g. https://your-site.com) |
| api-key | Yes | — | Your CookieGuard API key |
| fail-on-violations | No | true |
Fail the step if violations are found |
| comment-on-pr | No | true |
Post results as a PR comment |
Outputs
| Output | Description |
|---|---|
| status | pass or fail |
| violation-count | Number of violations found |
| cookie-count | Total cookies detected |
| summary | Human-readable summary string |