Didomi consent management

Reference pattern (customer-side webhook)

No first-party Ory connector; integration is a customer-implemented webhook handler responding to Didomi events and PATCHing Ory metadata. Reference: ory/integrates/consent-privacy/didomi.

Didomi is a consent management platform (CMP) for GDPR, CCPA, and ePrivacy. Sync Didomi consent state into Ory identity metadata so downstream services can read consent decisions alongside identity data, and fulfill data-subject requests (DSARs) through the Ory Admin API.

How it works

When a Didomi consent or DSAR event fires, your webhook verifies the HMAC signature, resolves the matching Ory identity, and PATCHes the identity metadata through the Ory Admin API.

1. In Didomi, go to Consent Notice, then Webhooks, and configure a webhook to fire on consent events with HMAC-signed payloads.
2. Deploy a service that:
   • Verifies Didomi's HMAC signature.
   • Resolves the Ory identity by Didomi's user_id (matched to an Ory identity trait or metadata_public.didomi_user_id).
   • PATCHes metadata_public.consent.didomi on the identity.
3. For DSAR fulfillment:
   • GET /admin/identities/{id} for Article 15 access.
   • DELETE /admin/identities/{id} for Article 17 erasure.

Notable

• DSAR responses are time-bounded (30 days under GDPR), so design for reliable processing, not best-effort.
• Consent strings (TCF v2 and Didomi-specific) are long. Store them in metadata_public only, since they aren't credentials.

Resources

• Didomi developer docs
• Ory Admin API reference
• Reference: ory/integrates/consent-privacy/didomi