Tickbox.dev Sign in →

Spec · v0.1.0

UK DUAA · EU GDPR · AI Opt-out

MIT licensed

In production on 3 sites

Cookie consent that doesn't get in your way.

A developer-first SDK with PECR-correct script gating, Consent Mode v2 out of the box, and an auditable trail when you need one. No dark patterns, no compliance theatre.

Start free Try the builder Read the docs

or, in your terminal npx @tickboxhq/cli init

consent.config.ts
TS 
// 12 lines. Type-checked. Lives in your repo.
import { defineConsent, jurisdictions } from '@tickboxhq/core'

export default defineConsent({
  jurisdiction: jurisdictions.UK_DUAA,
  policy: { version: '2026-05-17', url: '/privacy' },
  categories: {
    necessary: { required: true },
    analytics: {
      vendors: ['plausible', 'fathom'],
      default: false,
    },
  },
})
What npx init generates Full setup ↗

Three things we got right.

All features ↗
01 / config

Code-first config

consent.config.ts lives in your repo. Version-controlled, code-reviewed, the same shape across React, Vue, Nuxt and vanilla JS.

02 / gating

PECR-correct script gating

Tag scripts type="text/plain" and they stay inert until consent. No racy setTimeout hacks. Google Consent Mode v2 wired automatically.

03 / audit

Audit log when you need it

Drop in @tickboxhq/cloud and every decision lands in a tamper-resistant log. Until then, nothing leaves the visitor browser.

See it on the page.

Build your own ↗

Cookie preferences

Necessary cookies stay on; the rest are your call. Privacy policy

Default · light · out of the box

Cookie preferences

Necessary cookies stay on; the rest are your call. Privacy policy

Dark · follows prefers-color-scheme

Cookie preferences

Necessary cookies stay on; the rest are your call. Privacy policy

Branded · three CSS custom properties

Just so you know

We use privacy-friendly analytics. No personal data, no advertising. Privacy policy

Notice mode · UK DUAA · no opt-in needed

One component, <ConsentBannerDefault />. Equal-prominence Accept / Reject by default (ICO & EDPB compliant), light/dark automatically, themeable with three CSS variables — or edited per-site from the dashboard with no redeploy.

Why not just use…

Most consent SDKs are written for the wrong person.

Cookiebot, OneTrust

Built for legal teams. Config lives in a portal you don't control. The banner is a 200kB iframe that breaks Lighthouse.

Usercentrics

Pretty defaults. SDK still loads from their CDN, decisions go through their cloud whether you want them to or not.

Tickbox

The whole SDK is npm-installable, MIT-licensed, and runs locally. Cloud is opt-in. Your config is a TypeScript file. Reviewable in a PR. Versioned with git.

In production on

  • tinysystems.io workflow platform
  • pictag.io event photo matching
  • smesolutions.uk AI compliance

Ninety seconds from install to live.

The builder generates your config, the CLI installs the SDK, the banner ships with sensible defaults.

Open the builder Star on GitHub