How to Detect OneTrust on Any Website (2026)
OneTrust is one of the most widely deployed cookie consent and privacy management platforms on the web. If a site pops a “We value your privacy” banner asking you to accept or reject cookie categories, there is a good chance OneTrust is behind it. Knowing which sites run OneTrust — and which run a competing consent management platform — is useful for competitive research, privacy and compliance mapping, and building technographic lead lists for anyone selling privacy tooling, consent management, or martech.
The good news for detection is that OneTrust cannot hide. To render a consent banner and gate other scripts behind it, OneTrust has to load its JavaScript into the page from a recognizable CDN, and that script tag sits right in the served HTML. This guide explains exactly what OneTrust leaves behind, how to check for it manually with curl, and how to detect it programmatically — including across thousands of domains — with the DetectZeStack API.
What Is OneTrust and Why Detect It
OneTrust is a cloud-based data privacy management compliance platform. Its best-known feature on the public web is the cookie consent banner — the interstitial that asks visitors to accept or reject categories like “Strictly Necessary,” “Performance,” and “Targeting” cookies. Because it is a consent management platform (CMP), OneTrust typically loads early and can block or defer analytics and marketing tags until the visitor has made a choice, which is what keeps a site GDPR- and CCPA-aligned.
There are several practical reasons to detect it:
- Technographic prospecting — If you sell a competing CMP, a privacy-friendly analytics tool, or compliance services, a list of sites already running OneTrust is a list of companies that have decided consent management is worth paying for.
- Compliance and privacy mapping — Knowing which of your vendors, partners, or acquisition targets run a mature CMP is a small but real signal about their privacy posture.
- Competitive intelligence — Seeing whether a competitor uses OneTrust, Cookiebot, or a newer option tells you something about their stack and budget. OneTrust skews enterprise.
- Market segmentation — Splitting a domain list by CMP vendor lets you size the installed base for each platform before a launch or a campaign.
How OneTrust Shows Up on a Website
Every OneTrust integration has to download its consent SDK before it can render a banner or store a preference. That happens through a standard <script> tag pointing at OneTrust’s CDN. Because the tag lives in the served HTML, you can detect OneTrust without executing any JavaScript — a plain HTTP fetch of the page is enough. DetectZeStack matches on exactly these static, source-level signals, so detection works from the raw HTML and response headers.
Cookie Banner and Script Signatures
The most reliable fingerprints are the script source, the consent cookie, and the banner container:
- The script source — A
<script src>loaded fromcdn.cookielaw.org(OneTrust’s consent CDN), most commonly the stub loaderotSDKStub.js. Older or self-hosted deployments may load the SDK fromoptanon.blob.core.windows.netinstead. The tag usually carries adata-domain-scriptattribute holding the site’s OneTrust script ID. - The consent cookie — OneTrust writes an
OptanonConsentcookie (and oftenOptanonAlertBoxClosed) to record the visitor’s choices. TheOptanonConsentcookie in aSet-Cookieresponse header is a strong tell. - The banner DOM markers — The consent UI renders into containers with recognizable IDs such as
#onetrust-banner-sdkand#onetrust-consent-sdk, and legacy deployments use the.optanon-alert-box-wrapperclass. These are what you would eyeball in DevTools.
Any one of these on its own is a good signal; together they are unambiguous. Because “Optanon” is OneTrust’s original product name, the Optanon prefix on cookies and classes is a durable OneTrust marker even as the branding has changed.
DNS and Subdomain Fingerprints
OneTrust delivers its SDK from a small, stable set of hostnames, which makes those subdomains a reliable network-level fingerprint. When you load a OneTrust-protected page and watch the Network tab, you will typically see requests to:
cdn.cookielaw.org— the primary consent CDN that servesotSDKStub.js, the auto-blocking scriptOtAutoBlock.js, and the per-site consent bundle.geolocation.onetrust.com— the endpoint OneTrust calls to decide which regional consent rules to apply.optanon.blob.core.windows.net— an Azure Blob Storage host some deployments load the SDK from.
Note: OneTrust is detected from the page HTML and response headers rather than from a DNS record on the site’s own domain — the cdn.cookielaw.org and onetrust.com hostnames belong to OneTrust, not to the site you are scanning. That is why source-level detection is the right tool here: DetectZeStack returns OneTrust with source: "http", matched on the script tag and cookie in the served response.
Manual Ways to Detect OneTrust
For a one-off check, you do not need any tooling beyond a browser and curl.
In the browser: open DevTools, go to the Network tab, reload the page, and filter for cookielaw or onetrust. If you see a request to cdn.cookielaw.org/scripttemplates/otSDKStub.js, the site uses OneTrust. You can also search the page source (Ctrl/Cmd+U) for the string onetrust or Optanon, or open the Application tab and look for the OptanonConsent cookie.
From the command line: fetch the HTML and grep for the markers. This is faster and scriptable:
$ curl -s https://example.com | grep -ioE "cdn\.cookielaw\.org|otSDKStub\.js|onetrust-banner-sdk|Optanon"
cdn.cookielaw.org
otSDKStub.js
onetrust-banner-sdk
If that returns matches, the page is loading OneTrust. The limitation of the manual approach is that it only inspects the first HTML response. Some sites inject the OneTrust stub via a tag manager, or only on certain routes, so a single homepage fetch can miss it — and that is where an API that handles the fetch and parsing for you saves time.
Detect OneTrust at Scale With the DetectZeStack API
The DetectZeStack API fetches the page, parses the HTML and headers, and matches them against thousands of technology fingerprints in one request. OneTrust comes back under the Cookie compliance category, right alongside the rest of the site’s stack — framework, CMS, analytics, CDN, and more — so a single call tells you whether the site uses OneTrust and what else it is built on.
Single-Site curl Example
The /demo endpoint needs no API key, which makes it perfect for a quick check. Pass the target URL as a query parameter:
$ curl -s "https://detectzestack.com/demo?url=https://example.com" | python3 -m json.tool
The response is a single JSON object. Trimmed to the relevant fields, a OneTrust hit looks like this:
{
"url": "https://example.com",
"domain": "example.com",
"technologies": [
{
"name": "OneTrust",
"categories": ["Cookie compliance"],
"confidence": 100,
"description": "OneTrust is a cloud-based data privacy management compliance platform.",
"website": "https://www.onetrust.com",
"icon": "OneTrust.svg",
"source": "http",
"version": "",
"cpe": ""
}
],
"categories": { "Cookie compliance": ["OneTrust"] },
"meta": { "status_code": 200, "tech_count": 12, "scan_depth": "full" },
"cached": false,
"response_ms": 1637
}
The "name": "OneTrust" entry under the Cookie compliance category is your answer. The source: "http" field shows the match came from the page HTML and headers, and confidence: 100 reflects a direct fingerprint match on the script tag or cookie. Note that response_ms and cached are top-level fields, while meta holds only status_code, tech_count, and scan_depth.
For production use, the /analyze endpoint has the same response shape but is authenticated and not rate-limited per IP the way the demo is. Calls go through RapidAPI with your key:
$ curl -s "https://detectzestack.p.rapidapi.com/analyze?url=https://example.com" \
-H "X-RapidAPI-Key: YOUR_KEY" \
-H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
| jq '.technologies[] | select(.name == "OneTrust")'
If OneTrust is detected, that pipe prints exactly the matching object. If the site does not use OneTrust, the jq filter prints nothing — an empty result is a clean negative.
Batch-Scanning Many Domains
Manually checking one site at a time does not scale to a prospect list. The POST /analyze/batch endpoint accepts up to 10 URLs per request and analyzes them concurrently, returning the full technology stack for each:
$ curl -s -X POST "https://detectzestack.p.rapidapi.com/analyze/batch" \
-H "X-RapidAPI-Key: YOUR_KEY" \
-H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
-H "Content-Type: application/json" \
-d '{"urls": ["example.com", "stripe.com", "github.com"]}'
The response wraps one result object per URL, each with the same shape as a single /analyze response:
{
"results": [
{ "url": "example.com", "result": { "...full analysis..." : "" } },
{ "url": "stripe.com", "result": { "...full analysis..." : "" } },
{ "url": "github.com", "result": { "...full analysis..." : "" } }
],
"total_ms": 2288,
"successful": 3,
"failed": 0
}
Because each result matches the single-domain shape, the filtering logic is identical whether you scan one domain or a thousand. Here is a copy-pasteable bash pipeline that reads domains.txt (one domain per line), checks each one, and appends every domain where OneTrust is detected to onetrust_sites.csv:
#!/usr/bin/env bash
# Requires: curl, jq. Reads domains.txt, writes onetrust_sites.csv
RAPIDAPI_KEY="YOUR_KEY"
: > onetrust_sites.csv
while read -r domain; do
[ -z "$domain" ] && continue
has_onetrust=$(curl -s "https://detectzestack.p.rapidapi.com/analyze?url=https://$domain" \
-H "X-RapidAPI-Key: $RAPIDAPI_KEY" \
-H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
| jq -r '[.technologies[].name] | index("OneTrust") // empty')
if [ -n "$has_onetrust" ]; then
echo "$domain,OneTrust" >> onetrust_sites.csv
echo "HIT: $domain"
fi
sleep 0.5
done < domains.txt
For a deeper treatment of batch throughput, retries, and a production-grade Python scanner, see how to batch scan 1,000 websites.
Reading the API Response
The key fields to read on a OneTrust scan are:
categories["Cookie compliance"]— the fastest way to check for any consent platform. If the array contains"OneTrust", you have a hit; if it contains a different name, the site runs a competing CMP.technologies[].source—"http"for OneTrust, confirming the match came from the served HTML and headers rather than from DNS.technologies[].confidence—100on a direct fingerprint match against the script tag or theOptanonConsentcookie.meta.tech_count— the total number of technologies detected on the page, so you can see OneTrust in the context of the full stack.
Because OneTrust returns under a named category, you can pivot the same scan into a market map: run a domain list through /analyze, collect the Cookie compliance array for each, and tally the vendors to size each platform’s installed base across your list.
Other Cookie Consent Platforms You Can Detect
OneTrust is the enterprise heavyweight, but it is far from the only CMP. The same Cookie compliance category surfaces a range of consent platforms, each identified from its own script source or DOM markers in the page:
| Platform | Primary HTML Signal | Category |
|---|---|---|
| OneTrust | script: cdn.cookielaw.org / otSDKStub.js | Cookie compliance |
| Cookiebot | script: consent.cookiebot.com | Cookie compliance |
| Usercentrics | script: *.usercentrics.eu | Cookie compliance |
| Quantcast Choice | script: quantcast.mgr.consensu.org | Cookie compliance |
| TrustArc | script: consent.trustarc.com | Cookie compliance |
| Didomi | script: sdk.privacy-center.org/.../loader.js | Cookie compliance |
| iubenda | script: iubenda.com/ | Cookie compliance |
| Osano | script: cookieconsent.min.js | Cookie compliance |
| Termly | script: app.termly.io/embed.min.js | Cookie compliance |
Because they all return under the same category, a single scan tells you not just whether a site has a consent banner but which vendor it chose — a useful split when you are segmenting a market or sizing a competitor’s footprint.
Common Use Cases for OneTrust Detection
- Lead lists for privacy and martech tools — Filter a domain list down to sites already investing in consent management, then segment by which CMP they run.
- Migration targets — If you offer a lighter or cheaper CMP, sites on OneTrust are your switch candidates; sites on no CMP at all are your greenfield.
- Compliance and vendor review — Confirm that partners or acquisition targets run a mature consent platform before signing.
- Stack profiling — Combine OneTrust detection with other signals — Google Tag Manager, Google Analytics, and HubSpot — for a complete picture of a site’s front-end. OneTrust usually sits in front of exactly those tags, deferring them until consent is given.
Pro tip: Some sites load the OneTrust stub through a tag manager rather than a hardcoded script tag, so it can be absent from a raw homepage fetch but present once tags fire. If a homepage scan comes back without OneTrust but you can see the banner in a browser, try a deeper route or cross-check the OptanonConsent cookie in the response headers.
Get Started
Detecting OneTrust on one page takes a single curl against the free /demo endpoint. Detecting it across an entire market takes an API key and the batch endpoint. To get started:
- Smoke test the response shape with
curl "https://detectzestack.com/demo?url=https://example.com"— no key required. - Sign up at rapidapi.com/mlugoapx/api/detectzestack and copy your
x-rapidapi-key. The free tier is 100 requests per month with no credit card. - Run the
/analyzeexample above against a domain you control. - Check the
technologies[]array for aOneTrustentry under theCookie compliancecategory — that’s your answer.
Conclusion
OneTrust has to load its consent SDK to function, and that script tag — otSDKStub.js from cdn.cookielaw.org — is sitting in the page HTML for anyone to read, backed by the OptanonConsent cookie and the #onetrust-banner-sdk DOM container. That makes it reliably detectable with nothing more than an HTTP fetch and a pattern match. For a single page, curl and grep get you there. For a list of domains, the DetectZeStack API returns OneTrust under the Cookie compliance category alongside Cookiebot, Usercentrics, and the rest of the site’s stack, so you can turn a raw domain list into a segmented, CMP-confirmed dataset in one pass.
Related Reading
- How to Detect Google Tag Manager — The tag manager that often loads the OneTrust stub, surfaced from the page HTML
- How to Detect Google Analytics — The analytics tag OneTrust most often defers until consent
- How to Detect HubSpot — Another marketing tag that consent platforms gate on the same pages
- How to Detect reCAPTCHA — A different script-tag fingerprint, surfaced the same way
- How to Batch Scan 1,000 Websites — Throughput, retries, and a production Python scanner
Try DetectZeStack Free
100 requests per month, no credit card required. OneTrust, Cookiebot, and full tech-stack detection on every plan.
Get Your Free API Key