GDPR / CCPA API ensures all the rights of users are created or updated for GDPR / CCPA compliance. You can erase the personal data of specific users as defined under GDPR using the Erase API.

For more details on GDPR Compliance with MoEngage, refer to GDPR-Implementation.

For more details on CCPA Compliance with MoEngage, refer to CCPA-Implementation.

API Endpoint


The 'X' in the API Endpoint URL refers to the MoEngage Data Center (DC). MoEngage hosts each customer in a different DC. You can find your DC number (value of X) and replace the value of 'X' in the URL by referring to the DC and API endpoint mapping here.



The APP_ID for your MoEngage account is available on the MoEngage Dashboard in Settings > App Settings > Account Settings > APP ID.

Request Headers


Erase API uses basic authentication to control access to your data.

Basic authentication sends a Base64-encoded string containing username and password for all API requests.

Username and password are available at Settings > APIs > DATA API Settings.

Do the following when you are using the API for the first-time authentication:

  1. Navigate to Settings > APIs > DATA API Settings.
  2. Click Generate Key
  3. Save the details on the Data APIs settings page. User name - DATA API ID Password - DATA API KEY

For example, basic Authentication encodes a 'username:password' using base64 and prepends it with the string 'Basic '. The string is passed in the authorization header as follows:
{"Authorization":"Basic bmF2ZWVua3VtYXI6bW9lbmdhZ2U="}


Authentication is performed using a client like Postman as follows:


Content-Type Header

The content-Type header is mandatory and is set to 'application/json' as follows:

{"Content-Type": "application/json"}

Request body

APP ID Header

Get the APP ID from the MoEngage dashboard under the path: Settings > App Settings > Account Settings > APP ID and send in the header as follows:


Request body

There is a max limit of 100kb per request.

Request Body Fields

Key Description Mandatory
request_type This is used to request for GDPR details or request to erase the GDPR details Yes
submitted_time This identifies the time when the request was sent Yes
identities This provides the details of the user such as email address, phone number, and so on Yes
api_version This identifies the API version used to send the GDPR request. Yes
id This is the unique identifier of a registered user. No
user_secondary_id This is the secondary identifier of a registered user. No
email This is the user email of an unregistered user. No
mobile This is the user mobile of an unregistered user. No
google_advertising_id This is the android device GAID of an unregistered user. No
advertising_identifier This is the iOS device IDFA of an unregistered user No


The response is a JSON object.

GDPR request success

On a successful call, the response is as follows:

  "status": "success",
  "message": "Your request has been accepted and will be processed soon.",
  "request_id": "a7551968-d5d6-44b2-9831-815ac9017798"


The following example describes the request to erase personal data.

Was this article helpful?
0 out of 0 found this helpful

How can we improve this article?