TCF Consent String Decoder

Decode an IAB TCF v2.2 consent string in your browser to see the CMP metadata, purpose and vendor grids, and publisher restrictions.

The TCF Consent String Decoder runs entirely in your browser. The consent string you paste is decoded on your device, is never uploaded to ArrayKit, and no Global Vendor List or remote endpoint is contacted.

Open the TCF Consent String Encoder

About TCF Consent String Decoder

The TCF Consent String Decoder unpacks an IAB Transparency & Consent (TC) string so ad-ops and privacy engineers can see exactly what a CMP recorded. Paste the base64url string and it decodes the core segment locally: the CMP id and version, the screen and language the choice was captured on, the created and last-updated timestamps, the Global Vendor List version, and the TCF policy version. It then expands every bitfield into readable id lists — purpose consents, purpose legitimate interests, special feature opt-ins, vendor consents, vendor legitimate interests, and any publisher restrictions. Use it to debug a failing consent handshake, audit what a tag actually stored, or confirm a value before it reaches your ad server. The string is decoded in your browser and never leaves your device.

Features

How to use the TCF Consent String Decoder

  1. Copy the TC string from a CMP cookie, a __tcfapi callback, or an OpenRTB user.ext.consent field
  2. Paste it into the decoder, or click Sample to load an example TC string
  3. Read the CMP metadata, then scan the purpose, special-feature, and vendor grids
  4. Copy any id list to share the exact consent state with your team

Example

Input

COvFyGBOvFyGBAbAAAENAPCAAOAAAAAAAAAAAEEUACCKAAA

Output

CMP 27 · policy v2 · language EN · GVL 15
purposeConsents: 1, 2, 3
vendorConsents: 2, 6, 8

A core-only TC string decoded to its CMP metadata and consent grids.

Common errors & troubleshooting

Frequently asked questions

What is an IAB TCF consent string?
A TCF (Transparency & Consent Framework) string is a compact base64url record that a Consent Management Platform writes to store a user's ad-tech consent choices — which purposes, special features, and vendors they allowed. Ad tags and OpenRTB requests carry it so downstream vendors know what they may do.
Why does the decoder show vendor and purpose numbers instead of names?
Vendor and purpose names live in the IAB Global Vendor List, which is loaded over a network. This tool decodes only the string you paste and makes no network calls, so it shows the numeric ids exactly as encoded. Look an id up in the current Global Vendor List to get the vendor name.
Where do I find the TC string to paste?
It is stored in the euconsent-v2 cookie, returned by the CMP's __tcfapi('getTCData', ...) call, and passed in an OpenRTB bid request as user.ext.consent. Copy any of those base64url values and paste it into the decoder.
What is the difference between service-specific and global scope?
The isServiceSpecific bit records whether consent was stored for one site or service (true) or in the shared global consensu.org scope (false). The decoder surfaces this bit so you can tell how portable the signal is across properties.
Does decoding a TC string change or re-sign it?
No. Decoding is read-only — it interprets the existing bits without re-encoding, re-signing, or altering the string. Your original TC string is unchanged and is only ever read locally in your browser.
Can it read publisher restrictions and extra segments?
Yes. It fully decodes the core segment and lists publisher purpose restrictions with their restriction type and affected vendors. Fields a string does not include — such as absent optional segments — simply show as empty.

Related tools

All ArrayKit tools