Skip to content

IAB TCF v2.3 Support

Last updated: February 21, 2026

Cybexo CMP supports IAB Transparency and Consent Framework (TCF) v2.3, including handling for the Disclosed Vendors segment.

This page documents implementation behavior and verification checkpoints for TCF v2.3 integrations.

Cybexo CMP supports:

  • IAB TCF v2.3
  • Disclosed Vendors segment handling (segment type 1)
  • Allowed Vendors segment handling (segment type 2)
  • Special Purpose 3 handling in accordance with TCF v2.3 requirements.
  • Consent-first baseline for Purposes 3 to 6
  1. CMP initializes policy and vendor metadata.
  2. User receives default and then interactive consent UI.
  3. User choice updates the TC string.
  4. TC string is retrievable through TCF API integration points.
  5. Subsequent consent changes generate updated strings.

Run in browser console:

typeof __tcfapi

Expected result: function.

typeof window.__tcfapi

Expected result: function.

__tcfapi('ping', 2, (res, ok) => console.log('ok:', ok, res));

Expected result: ok: true with CMP status fields.

__tcfapi('getTCData', 2, (data, ok) => {
console.log('ok:', ok, 'eventStatus:', data && data.eventStatus, 'tcString:', data && data.tcString);
});

Expected result: ok: true. tcString should be present once CMP is initialized and may update after user interaction.

Optional (listen for changes):

__tcfapi('addEventListener', 2, (tcData, success) => {
if (!success) return;
console.log('eventStatus:', tcData.eventStatus, 'tcString:', tcData.tcString);
});

5. Mobile SDK Verification (iOS / Android)

Section titled “5. Mobile SDK Verification (iOS / Android)”

Decode generated TC strings and verify:

  • VendorsDisclosedSegmentType = 1
  • VendorsAllowedSegmentType = 2
  • Accept All: VendorsDisclosed and VendorsAllowed contain configured vendor IDs
  • Reject All: consent vectors are empty/false, but disclosed/allowed segments remain present per configuration
  • __tcfapi unavailable due to script ordering or blocked loader.
  • TC string missing because consent flow did not complete.
  • Duplicate CMP scripts causing state conflicts.
  • CSP blocking required loader/API domains.
  1. Confirm CMP script appears exactly once in document head.
  2. Confirm __tcfapiLocator frame exists (commonly used by TCF integrations).
  3. Validate consent UI renders and stores a decision.
  4. Re-run TCF checks using private browser session.
  5. Capture debug output before opening support tickets.

See TCF API Validation and Troubleshooting Playbook.