; replace org_code and property_code with values from your Ketch dashboard."},{"@type":"HowToStep","position":2,"text":"In the Ketch Console, configure purposes and map each third-party tag or cookie to a purpose; the Smart Tag enforces consent by reading the ketch_preferences cookie and blocking tag execution accordingly."},{"@type":"HowToStep","position":3,"text":"Register a DSR webhook endpoint in the Ketch Console under Rights > Workflows; Ketch will POST to your endpoint when a data subject submits a rights request (access, deletion, portability)."},{"@type":"HowToStep","position":4,"text":"Validate incoming webhook events by checking the X-Ketch-Signature header against an HMAC-SHA256 of the raw request body using YOUR_KETCH_WEBHOOK_SECRET; reject any request with a mismatched signature."},{"@type":"HowToStep","position":5,"text":"Fulfill the request in your system (e.g., export user data or delete records), then call the Ketch REST API: POST https://api.ketch.com/v1/rights/requests/{requestId}/status with body {status: 'COMPLETED'} and Authorization: Bearer YOUR_KETCH_TOKEN to close the request."},{"@type":"HowToStep","position":6,"text":"Test end-to-end by submitting a test DSR via the Ketch hosted privacy center URL, verifying your webhook fires, fulfilling it, and confirming the status update is reflected in the Ketch Console."}],"about":"developers.ketch.com","dateCreated":"2026-06-12T16:34:11.151Z"}
Deploy Ketch's Smart Tag and configure a data subject rights request webhook for automated DSR fulfillment
Add the Ketch Smart Tag to every page: <script defer src='https://global.ketchcdn.com/web/v3/config/{org_code}/{property_code}/boot.js'></script>; replace org_code and property_code with values from your Ketch dashboard.
In the Ketch Console, configure purposes and map each third-party tag or cookie to a purpose; the Smart Tag enforces consent by reading the ketch_preferences cookie and blocking tag execution accordingly.
Register a DSR webhook endpoint in the Ketch Console under Rights > Workflows; Ketch will POST to your endpoint when a data subject submits a rights request (access, deletion, portability).
Validate incoming webhook events by checking the X-Ketch-Signature header against an HMAC-SHA256 of the raw request body using YOUR_KETCH_WEBHOOK_SECRET; reject any request with a mismatched signature.
Fulfill the request in your system (e.g., export user data or delete records), then call the Ketch REST API: POST https://api.ketch.com/v1/rights/requests/{requestId}/status with body {status: 'COMPLETED'} and Authorization: Bearer YOUR_KETCH_TOKEN to close the request.
Test end-to-end by submitting a test DSR via the Ketch hosted privacy center URL, verifying your webhook fires, fulfilling it, and confirming the status update is reflected in the Ketch Console.
Known gotchas
The Ketch Smart Tag boot.js URL is property-specific; using the wrong property_code loads a config that may not match your consent categories or jurisdiction rules.
Ketch webhook payloads include a timestamp; implement replay-attack protection by rejecting webhooks with a timestamp older than 5 minutes.
The DSR status update API call must be made within the SLA configured in your Ketch Console; Ketch will escalate overdue requests to your designated privacy contact if the status is not updated in time.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp