Medusa.js

Medusa.js

Medusa.js is an open-source headless e-commerce platform that provides API-driven backend services for custom storefronts. It serves product catalogs, cart, and order data through REST and GraphQL endpoints. Browser-side scripts are determined by the storefront implementation rather than Medusa itself.

Back to Vendor Library

Overview

Medusa.js is an open-source, MIT-licensed headless commerce platform that provides a modular backend for building custom e-commerce storefronts. Unlike SaaS e-commerce platforms, Medusa runs on the merchant's own infrastructure and does not introduce third-party tracking scripts. The framework provides REST and GraphQL APIs for cart, product, order, and customer management; browser-side behavior is entirely determined by the storefront the developer builds on top of it.

What This Script Does

Medusa.js itself does not ship browser-side tracking scripts. Client-side behavior depends entirely on the storefront implementation:

  • Storefront API calls: The browser-side storefront (typically built with Next.js, Nuxt, or a custom framework) makes API requests to the Medusa backend at the merchant's own domain or a dedicated API subdomain (e.g., api.store.com). These are first-party requests.
  • Cart and session state: Session tokens and cart state are typically managed via cookies or localStorage set by the storefront application, scoped to the merchant's domain. Medusa's backend issues JWT tokens or session identifiers for authenticated customer flows.
  • No third-party beacons: Medusa does not send data to Medusa Inc.'s servers from the browser. There is no telemetry, analytics, or tracking code bundled into Medusa's client-side packages.
  • Plugin ecosystem: Third-party analytics or payment plugins integrated with Medusa (e.g., Stripe.js, Segment, Klaviyo) are independent of Medusa itself and have their own consent requirements.

Consent & Compliance

GDPR and ePrivacy: Medusa.js is self-hosted open-source infrastructure. It does not impose any third-party data flows from the browser. Cart and authentication cookies are strictly necessary for the e-commerce functionality and are exempt from consent requirements under the ePrivacy Directive. The merchant is the sole data controller for all data processed through their Medusa implementation.

CCPA/CPRA: No personal information is transmitted to Medusa's servers from the browser. The merchant's own data practices govern all consumer data collected through the storefront.

This vendor is classified as essential and functional. It is backend infrastructure with no third-party tracking footprint.

Should You Block This Without Consent?

No.

Medusa.js is self-hosted open-source e-commerce infrastructure. There are no third-party tracking scripts to block. Consent management for a Medusa-based store should focus on the third-party tools the developer chooses to integrate (analytics platforms, ad pixels, payment processors) rather than Medusa itself.

Visit website

Consent Categories

Essential
Functional

Also Known As

medusa jsmedusajsheadless ecommercemedusa commerceopen source ecommerce consent

Industries

Programming and Developer SoftwareComputers Electronics and Technology

Tracked Domains (1)

medusajs.comEssential

Frequently Asked Questions

Does Medusa.js require cookie consent?

No for essential operations. Medusa.js is an open-source headless e-commerce backend that powers cart, order, and product data through APIs. Session and cart cookies are essential for store functionality and are exempt from consent requirements under GDPR. No marketing or behavioral tracking is inherent to the platform.

What cookies does Medusa.js set?

Medusa.js sets session cookies to maintain cart state, authenticate users, and manage checkout flow across page navigations. These are strictly functional cookies required for e-commerce operations. No third-party tracking or behavioral profiling cookies are set by Medusa.js itself.

How does ConsentStack handle Medusa.js?

ConsentStack classifies Medusa.js as Essential and Functional. Cart and session cookies are treated as essential and are never blocked regardless of consent status. ConsentStack does not interfere with Medusa.js API calls or storefront functionality, ensuring checkout remains operational for all visitors.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Medusa.js

ConsentStack automatically detects and manages Medusa.js trackers so your site stays compliant with global privacy regulations.

Get started free