IAB TCF v2.3 Support
Last updated: February 21, 2026
Cybexo CMP supports IAB Transparency and Consent Framework (TCF) v2.3, including handling for the Disclosed Vendors segment.
1. Scope
Section titled “1. Scope”This page documents implementation behavior and verification checkpoints for TCF v2.3 integrations.
2. Explicit Support Statement
Section titled “2. Explicit Support Statement”Cybexo CMP supports:
- IAB TCF v2.3
- Disclosed Vendors segment handling (segment type 1)
- Allowed Vendors segment handling (segment type 2)
- Special Purpose 3 handling in accordance with TCF v2.3 requirements.
- Consent-first baseline for Purposes 3 to 6
3. TC String Lifecycle
Section titled “3. TC String Lifecycle”- CMP initializes policy and vendor metadata.
- User receives default and then interactive consent UI.
- User choice updates the TC string.
- TC string is retrievable through TCF API integration points.
- Subsequent consent changes generate updated strings.
4. Verification Commands
Section titled “4. Verification Commands”Run in browser console:
typeof __tcfapiExpected result: function.
typeof window.__tcfapiExpected result: function.
__tcfapi('ping', 2, (res, ok) => console.log('ok:', ok, res));Expected result: ok: true with CMP status fields.
__tcfapi('getTCData', 2, (data, ok) => { console.log('ok:', ok, 'eventStatus:', data && data.eventStatus, 'tcString:', data && data.tcString);});Expected result: ok: true. tcString should be present once CMP is initialized and may update after user interaction.
Optional (listen for changes):
__tcfapi('addEventListener', 2, (tcData, success) => { if (!success) return; console.log('eventStatus:', tcData.eventStatus, 'tcString:', tcData.tcString);});5. Mobile SDK Verification (iOS / Android)
Section titled “5. Mobile SDK Verification (iOS / Android)”Decode generated TC strings and verify:
VendorsDisclosedSegmentType = 1VendorsAllowedSegmentType = 2- Accept All:
VendorsDisclosedandVendorsAllowedcontain configured vendor IDs - Reject All: consent vectors are empty/false, but disclosed/allowed segments remain present per configuration
6. Common Audit Failures
Section titled “6. Common Audit Failures”__tcfapiunavailable due to script ordering or blocked loader.- TC string missing because consent flow did not complete.
- Duplicate CMP scripts causing state conflicts.
- CSP blocking required loader/API domains.
7. Troubleshooting
Section titled “7. Troubleshooting”- Confirm CMP script appears exactly once in document head.
- Confirm
__tcfapiLocatorframe exists (commonly used by TCF integrations). - Validate consent UI renders and stores a decision.
- Re-run TCF checks using private browser session.
- Capture debug output before opening support tickets.