PDPA Platform API
A comprehensive REST API for integrating PDPA compliance features into your application. Manage consent, cookie preferences, and data subject requests with simple HTTP requests.
Introduction
The PDPA Platform API provides a simple and secure way to integrate Thailand's Personal Data Protection Act compliance features into your web applications. All endpoints return JSON responses and follow RESTful conventions.
RESTful
Standard HTTP methods and status codes for easy integration.
CORS Enabled
Public endpoints support cross-origin requests from any domain.
Type Safe
Fully typed with TypeScript and OpenAPI documentation.
Base URL
All API requests should be made to the following base URL:
tsxAPI Keys
Navigate to the API Keys section in your admin dashboard to generate API keys for authenticated endpoints. Public endpoints do not require authentication.
Authentication
The API uses API keys for authentication on protected endpoints. Include your API key in the Authorization header:
tsxSecurity Best Practices
- Never expose secret API keys in client-side code
- Use Public API endpoints for browser-based consent collection
- Rotate API keys periodically for enhanced security
- Store API keys in environment variables, never in code
Public vs Authenticated Endpoints
Most Public endpoints (/public/*) do not require authentication and are designed to be called directly from browsers for data submission. However, the GET /public/consent/:websiteId/:userId endpoint will require a valid API key starting April 4, 2026. All other non-public endpoints require a valid API key.
Public API
The Public API allows external websites to submit consent data, cookie preferences, data subject requests, and form submissions without requiring authentication. All endpoints are CORS-enabled and accept requests from any origin.
Important
All Public API endpoints require a valid websiteId parameter. The website ID is used to validate and route data to the correct project. You can find your Website ID in the admin dashboard under Website Settings.
Base URL
tsxAvailable Endpoints
| Endpoint | Method | Description |
|---|---|---|
| /consent/submit | POST | Submit generic consent logs (terms, privacy policy, etc.) |
| /cookie-consent/submit | POST | Submit detailed cookie consent records |
| /data-subject-request/submit | POST | Submit data subject access requests (DSAR) |
| /form/submit | POST | Submit custom form data |
| /form/:formId | GET | Retrieve public form configuration |
| /consent/:websiteId/:userId | GET | Get latest consent data for a user (API key required after 2026-04-04) |
CORS Support
All Public API endpoints support Cross-Origin Resource Sharing (CORS) and accept requests from any domain. This allows you to embed consent collection directly on your websites without proxying through your backend.
tsxGeneric Consent Submission
Submit generic consent logs for scenarios like terms of service acceptance, privacy policy acknowledgment, or any consent not tied to a specific form. This endpoint only validates that the website exists.
Submit Generic Consent Log
POST /public/consent/submit
tsxRequest Parameters
| Field | Type | Required | Description |
|---|---|---|---|
| websiteId | string | Yes | Website ID |
| userId | string | Yes | User identifier |
| ipAddress | string | Yes | Client IP address |
| deviceType | string | Yes | Desktop, Mobile, or Tablet |
| browserInfo | string | Yes | Browser user agent |
| categories | string[] | Yes | Consent categories |
| status | string | Yes | accepted, rejected, or customized |
| domain | string | No | Domain where consent was given |
| expiresAt | string | No | Expiration date (ISO 8601) |
| tRegConsentId | string | No | T-Reg integration ID |
JavaScript Helper Function
Reusable function for submitting generic consent from any website.
tsxUse Cases
| Category | Description |
|---|---|
| terms_of_service | Terms of Service acceptance |
| privacy_policy | Privacy Policy acknowledgment |
| marketing | Marketing consent opt-in |
| analytics | Analytics/tracking consent |
Retrieve User Consent Data
GET /public/consent/{websiteId}/{userId}
Retrieve the latest consent data for a specific user on a specific website. This is useful for checking if a user has already given consent before showing consent prompts.
API Key Requirement
Until April 4, 2026: API key is optional (grace period for migration).
After April 4, 2026: A valid project API key in the x-api-key header is required.
tsxResponse Fields
| Field | Type | Description |
|---|---|---|
| id | string | Consent log ID |
| websiteId | string | null | Website ID |
| userId | string | User identifier |
| status | string | Consent status (accepted, rejected, customized) |
| categories | string[] | Array of consent categories |
| ipAddress | string | Client IP address |
| deviceType | string | Device type (Mobile, Tablet, Desktop) |
| browserInfo | string | Browser user agent |
| domain | string | null | Domain where consent was given |
| expiresAt | string | null | Expiration date (ISO 8601 format) |
| tRegConsentId | string | null | T-Reg integration consent ID |
| createdAt | string | Creation timestamp (ISO 8601 format) |
JavaScript Helper - Check Consent Before Prompt
Example of checking existing consent before showing a consent prompt.
tsxData Subject Requests
Allow users to submit data subject access requests (DSAR) directly from your website. This creates a new request in your PDPA Platform dashboard for processing.
Submit Data Subject Request
POST /public/data-subject-request/submit
tsxRequest Types
The data_subject field accepts an array of the following values:
| Code | English | Thai |
|---|---|---|
| withdraw_consent | Withdraw Consent | ถอนความยินยอม |
| access | Access | ขอเข้าถึงข้อมูล |
| data_portability | Data Portability | ถ่ายโอนข้อมูล |
| deletion | Deletion | ลบหรือทำลาย |
| correction | Correction | แก้ไขข้อมูล |
| restriction | Restriction | ระงับการใช้ |
| objection | Objection | คัดค้าน |
| source_disclosure | Source Disclosure | เปิดเผยแหล่งที่มา |
DSR Form Component (React)
Complete React component for submitting data subject requests with multiple types.
tsxForm Submission
Submit data to custom consent forms created in your PDPA Platform dashboard. You can also retrieve form configuration to dynamically render forms on your website.
Get Form Configuration
GET /public/form/:formId?websiteId=:websiteId
tsxResponse Fields
| Field | Type | Description |
|---|---|---|
| id | string | Form ID |
| eventName | string | Form name/event name |
| fieldsConfig | object | Form field configuration |
| content | object | Bilingual content (en, th) |
| retentionDays | number | Data retention period |
Submit Form Data
POST /public/form/submit
tsxRequest Parameters
| Field | Type | Required | Description |
|---|---|---|---|
| formId | string | Yes | Form ID |
| websiteId | string | Yes | Website ID |
| formData | object | Yes | Dynamic form field data |
| language | string | Yes | Language code (en or th) |
| ipAddress | string | No | Client IP (auto-detected) |
| userAgent | string | No | User agent (auto-detected) |
| deviceType | string | No | Device type (auto-detected) |
| browserInfo | string | No | Browser info (auto-detected) |
Complete Form Integration
Dynamic form rendering and submission example.
tsxForm Security
The form endpoint validates that the form exists, is published, and belongs to the specified website. Submissions are only accepted for PUBLISHED forms. Draft or non-existent forms will return a 400/404 error.
Response Format
All API responses follow a consistent JSON structure with a discriminated union pattern for success and error states.
Success Response
tsxError Response
tsxHTTP Status Codes
| Status | Description |
|---|---|
| 200 OK | Request succeeded |
| 400 Bad Request | Invalid request parameters |
| 401 Unauthorized | Missing or invalid API key |
| 404 Not Found | Resource not found |
| 500 Server Error | Internal server error |