How to Detect OneTrust on Any Website (2026)

July 6, 2026 · 9 min read

OneTrust is one of the most widely deployed cookie consent and privacy management platforms on the web. If a site pops a “We value your privacy” banner asking you to accept or reject cookie categories, there is a good chance OneTrust is behind it. Knowing which sites run OneTrust — and which run a competing consent management platform — is useful for competitive research, privacy and compliance mapping, and building technographic lead lists for anyone selling privacy tooling, consent management, or martech.

The good news for detection is that OneTrust cannot hide. To render a consent banner and gate other scripts behind it, OneTrust has to load its JavaScript into the page from a recognizable CDN, and that script tag sits right in the served HTML. This guide explains exactly what OneTrust leaves behind, how to check for it manually with curl, and how to detect it programmatically — including across thousands of domains — with the DetectZeStack API.

What Is OneTrust and Why Detect It

OneTrust is a cloud-based data privacy management compliance platform. Its best-known feature on the public web is the cookie consent banner — the interstitial that asks visitors to accept or reject categories like “Strictly Necessary,” “Performance,” and “Targeting” cookies. Because it is a consent management platform (CMP), OneTrust typically loads early and can block or defer analytics and marketing tags until the visitor has made a choice, which is what keeps a site GDPR- and CCPA-aligned.

There are several practical reasons to detect it:

How OneTrust Shows Up on a Website

Every OneTrust integration has to download its consent SDK before it can render a banner or store a preference. That happens through a standard <script> tag pointing at OneTrust’s CDN. Because the tag lives in the served HTML, you can detect OneTrust without executing any JavaScript — a plain HTTP fetch of the page is enough. DetectZeStack matches on exactly these static, source-level signals, so detection works from the raw HTML and response headers.

Cookie Banner and Script Signatures

The most reliable fingerprints are the script source, the consent cookie, and the banner container:

Any one of these on its own is a good signal; together they are unambiguous. Because “Optanon” is OneTrust’s original product name, the Optanon prefix on cookies and classes is a durable OneTrust marker even as the branding has changed.

DNS and Subdomain Fingerprints

OneTrust delivers its SDK from a small, stable set of hostnames, which makes those subdomains a reliable network-level fingerprint. When you load a OneTrust-protected page and watch the Network tab, you will typically see requests to:

Note: OneTrust is detected from the page HTML and response headers rather than from a DNS record on the site’s own domain — the cdn.cookielaw.org and onetrust.com hostnames belong to OneTrust, not to the site you are scanning. That is why source-level detection is the right tool here: DetectZeStack returns OneTrust with source: "http", matched on the script tag and cookie in the served response.

Manual Ways to Detect OneTrust

For a one-off check, you do not need any tooling beyond a browser and curl.

In the browser: open DevTools, go to the Network tab, reload the page, and filter for cookielaw or onetrust. If you see a request to cdn.cookielaw.org/scripttemplates/otSDKStub.js, the site uses OneTrust. You can also search the page source (Ctrl/Cmd+U) for the string onetrust or Optanon, or open the Application tab and look for the OptanonConsent cookie.

From the command line: fetch the HTML and grep for the markers. This is faster and scriptable:

$ curl -s https://example.com | grep -ioE "cdn\.cookielaw\.org|otSDKStub\.js|onetrust-banner-sdk|Optanon"
cdn.cookielaw.org
otSDKStub.js
onetrust-banner-sdk

If that returns matches, the page is loading OneTrust. The limitation of the manual approach is that it only inspects the first HTML response. Some sites inject the OneTrust stub via a tag manager, or only on certain routes, so a single homepage fetch can miss it — and that is where an API that handles the fetch and parsing for you saves time.

Detect OneTrust at Scale With the DetectZeStack API

The DetectZeStack API fetches the page, parses the HTML and headers, and matches them against thousands of technology fingerprints in one request. OneTrust comes back under the Cookie compliance category, right alongside the rest of the site’s stack — framework, CMS, analytics, CDN, and more — so a single call tells you whether the site uses OneTrust and what else it is built on.

Single-Site curl Example

The /demo endpoint needs no API key, which makes it perfect for a quick check. Pass the target URL as a query parameter:

$ curl -s "https://detectzestack.com/demo?url=https://example.com" | python3 -m json.tool

The response is a single JSON object. Trimmed to the relevant fields, a OneTrust hit looks like this:

{
  "url": "https://example.com",
  "domain": "example.com",
  "technologies": [
    {
      "name": "OneTrust",
      "categories": ["Cookie compliance"],
      "confidence": 100,
      "description": "OneTrust is a cloud-based data privacy management compliance platform.",
      "website": "https://www.onetrust.com",
      "icon": "OneTrust.svg",
      "source": "http",
      "version": "",
      "cpe": ""
    }
  ],
  "categories": { "Cookie compliance": ["OneTrust"] },
  "meta": { "status_code": 200, "tech_count": 12, "scan_depth": "full" },
  "cached": false,
  "response_ms": 1637
}

The "name": "OneTrust" entry under the Cookie compliance category is your answer. The source: "http" field shows the match came from the page HTML and headers, and confidence: 100 reflects a direct fingerprint match on the script tag or cookie. Note that response_ms and cached are top-level fields, while meta holds only status_code, tech_count, and scan_depth.

For production use, the /analyze endpoint has the same response shape but is authenticated and not rate-limited per IP the way the demo is. Calls go through RapidAPI with your key:

$ curl -s "https://detectzestack.p.rapidapi.com/analyze?url=https://example.com" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
  | jq '.technologies[] | select(.name == "OneTrust")'

If OneTrust is detected, that pipe prints exactly the matching object. If the site does not use OneTrust, the jq filter prints nothing — an empty result is a clean negative.

Batch-Scanning Many Domains

Manually checking one site at a time does not scale to a prospect list. The POST /analyze/batch endpoint accepts up to 10 URLs per request and analyzes them concurrently, returning the full technology stack for each:

$ curl -s -X POST "https://detectzestack.p.rapidapi.com/analyze/batch" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
  -H "Content-Type: application/json" \
  -d '{"urls": ["example.com", "stripe.com", "github.com"]}'

The response wraps one result object per URL, each with the same shape as a single /analyze response:

{
  "results": [
    { "url": "example.com", "result": { "...full analysis..." : "" } },
    { "url": "stripe.com",  "result": { "...full analysis..." : "" } },
    { "url": "github.com",  "result": { "...full analysis..." : "" } }
  ],
  "total_ms": 2288,
  "successful": 3,
  "failed": 0
}

Because each result matches the single-domain shape, the filtering logic is identical whether you scan one domain or a thousand. Here is a copy-pasteable bash pipeline that reads domains.txt (one domain per line), checks each one, and appends every domain where OneTrust is detected to onetrust_sites.csv:

#!/usr/bin/env bash
# Requires: curl, jq. Reads domains.txt, writes onetrust_sites.csv
RAPIDAPI_KEY="YOUR_KEY"
: > onetrust_sites.csv

while read -r domain; do
  [ -z "$domain" ] && continue
  has_onetrust=$(curl -s "https://detectzestack.p.rapidapi.com/analyze?url=https://$domain" \
    -H "X-RapidAPI-Key: $RAPIDAPI_KEY" \
    -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
    | jq -r '[.technologies[].name] | index("OneTrust") // empty')
  if [ -n "$has_onetrust" ]; then
    echo "$domain,OneTrust" >> onetrust_sites.csv
    echo "HIT: $domain"
  fi
  sleep 0.5
done < domains.txt

For a deeper treatment of batch throughput, retries, and a production-grade Python scanner, see how to batch scan 1,000 websites.

Reading the API Response

The key fields to read on a OneTrust scan are:

Because OneTrust returns under a named category, you can pivot the same scan into a market map: run a domain list through /analyze, collect the Cookie compliance array for each, and tally the vendors to size each platform’s installed base across your list.

Other Cookie Consent Platforms You Can Detect

OneTrust is the enterprise heavyweight, but it is far from the only CMP. The same Cookie compliance category surfaces a range of consent platforms, each identified from its own script source or DOM markers in the page:

PlatformPrimary HTML SignalCategory
OneTrust script: cdn.cookielaw.org / otSDKStub.js Cookie compliance
Cookiebot script: consent.cookiebot.com Cookie compliance
Usercentrics script: *.usercentrics.eu Cookie compliance
Quantcast Choice script: quantcast.mgr.consensu.org Cookie compliance
TrustArc script: consent.trustarc.com Cookie compliance
Didomi script: sdk.privacy-center.org/.../loader.js Cookie compliance
iubenda script: iubenda.com/ Cookie compliance
Osano script: cookieconsent.min.js Cookie compliance
Termly script: app.termly.io/embed.min.js Cookie compliance

Because they all return under the same category, a single scan tells you not just whether a site has a consent banner but which vendor it chose — a useful split when you are segmenting a market or sizing a competitor’s footprint.

Common Use Cases for OneTrust Detection

Pro tip: Some sites load the OneTrust stub through a tag manager rather than a hardcoded script tag, so it can be absent from a raw homepage fetch but present once tags fire. If a homepage scan comes back without OneTrust but you can see the banner in a browser, try a deeper route or cross-check the OptanonConsent cookie in the response headers.

Get Started

Detecting OneTrust on one page takes a single curl against the free /demo endpoint. Detecting it across an entire market takes an API key and the batch endpoint. To get started:

  1. Smoke test the response shape with curl "https://detectzestack.com/demo?url=https://example.com" — no key required.
  2. Sign up at rapidapi.com/mlugoapx/api/detectzestack and copy your x-rapidapi-key. The free tier is 100 requests per month with no credit card.
  3. Run the /analyze example above against a domain you control.
  4. Check the technologies[] array for a OneTrust entry under the Cookie compliance category — that’s your answer.

Conclusion

OneTrust has to load its consent SDK to function, and that script tag — otSDKStub.js from cdn.cookielaw.org — is sitting in the page HTML for anyone to read, backed by the OptanonConsent cookie and the #onetrust-banner-sdk DOM container. That makes it reliably detectable with nothing more than an HTTP fetch and a pattern match. For a single page, curl and grep get you there. For a list of domains, the DetectZeStack API returns OneTrust under the Cookie compliance category alongside Cookiebot, Usercentrics, and the rest of the site’s stack, so you can turn a raw domain list into a segmented, CMP-confirmed dataset in one pass.

Related Reading

Try DetectZeStack Free

100 requests per month, no credit card required. OneTrust, Cookiebot, and full tech-stack detection on every plan.

Get Your Free API Key

Get API updates and tech detection tips

Join the mailing list. No spam, unsubscribe anytime.