Unified ID 2.0 Glossary

This page defines some key terms used in the UID2 documentation.

A

Advertising ID: Advertising ID is another term for a raw UID2.
Advertising token: Advertising token is another term for a UID2 token.
AKS: AKS is an acronym for Azure Kubernetes Service. For details, see What is Azure Kubernetes Service (AKS)? (Microsoft documentation).; To run an AKS cluster on a confidential container, Microsoft offers a solution to run it on virtual nodes on Microsoft Azure container instances. For details, see Virtual nodes on Azure Container Instances (Microsoft documentation).; In the context of UID2, AKS is one of the supported secure computing environments for hosting a Private Operator.; For details, see UID2 Private Operator for AKS Integration Guide.
API key: Each UID2 participant using a server-side implementation has an API key (client key) and also a secret value associated with the key, called the client secret (API secret). The client secret is known only to the participant and the UID2 service.; For details, see UID2 Credentials.
API secret: See client secret.
App name: In the context of mobile integrations, the app name is the Android application ID, the iOS app store ID, or the iOS bundle identifier.
Authorization header: The Authorization header is a way to authenticate the client to the UID2 service.; For details, see 11.6.2. Authorization in RFC 9110, the HTTP specification.

B

Bearer token: A bearer token is a special string that identifies the client. For authentication, some UID2 endpoints require the client key to be specified as a bearer token in the Authorization header of the request: for example, POST /token/generate.
Bidstream: To place a request for an ad to be placed in an advertising spot (bid request), the publisher sends different pieces of information, so that advertisers can bid on it, generally through an advertising exchange or DSP. The flow of bidding data is the bidstream.; Bidstream data goes from publishers to other entities (depending on the publisher's configuration) and back to the publisher.

C

Client key: See API key.
Client keypair: For client-side publisher integrations, the Subscription ID and public key are the two values issued to publishers to uniquely identify the account. Client keypair is a term we use for these two values together.; For details, see Subscription ID and Public Key.
Client secret: Each UID2 participant using a server-side implementation has an API key (client key) and also a secret value associated with the key, called the client secret (API secret). The client secret is known only to the participant and the UID2 service.; For details, see UID2 Credentials.
Client-server integration: One of the UID2 integration approaches is to integrate partially on the client side and partially on the server side (client-server).; For example, in a client-server integration for a publisher, the UID2 token is generated on the server side and refreshed on the client side.; Examples of documentation for publisher client-server integrations:
- UID2 Client-Server Integration Guide for Prebid.js
- Client-Server Integration Guide for JavaScript
- UID2 Client-Server Integration Guide for Mobile
Client-side integration: One of the UID2 integration approaches is to integrate entirely on the client side.; In a client-side integration, UID2 tokens are generated and refreshed on the client side.; For example, in a client-side integration, advertisers generate UID2 tokens on the client side for tracking pixels, and publishers generate UID2 tokens on the client side for bidstream use, as well as refreshing the tokens.; Examples of documentation for publisher client-side integrations:
- UID2 Client-Side Integration Guide for Prebid.js
- Client-Side Integration Guide for JavaScript
- UID2 Client-Side Integration Guide for Mobile
Closed Operator: Closed Operator is another term for a Private Operator.
Confidential Computing (GCP): A Confidential Computing solution from Google Cloud Platform (GCP), Confidential Space, that is supported for hosting a UID2 Private Operator.; For details, see Confidential Space.
Confidential containers (Azure): Confidential Containers is the name of a secure confidential computing option from Microsoft Azure. Each Confidential Containers implementation runs in a hardware-backed Trusted Execution Environment (TEE) that provides intrinsic capabilities such as data integrity, data confidentiality, and code integrity.; In the context of UID2, Confidential Containers from Azure is one of the supported secure computing environments for hosting a Private Operator.; For details, see UID2 Private Operator for Azure Integration Guide.
Confidential Space (GCP): Confidential Space is one of the Confidential Computing options from Google Cloud Platform (GCP). Confidential Space offers a secure enclave environment, known as a Trusted Execution Environment (TEE).; In the context of UID2, GCP Confidential Space is one of the supported secure computing environments for hosting a Private Operator.; For details, see UID2 Private Operator for GCP Integration Guide.
Core Service: The UID2 Core Service is a centralized service that manages access to secret salts, encryption keys, and other relevant data in the UID2 ecosystem.; For an overview of all the UID2 services, see UID2 Component Services.

D

Data provider: In the context of UID2, a data provider is any entity that provides data and measurement services relating to advertising, such as a data partner, measurement partner, or offline measurement provider.; For details, see participant (Data Providers).
Demand-side platform: A demand-side platform (DSP) provides services to companies that want to buy digital advertising, such as advertisers, brands, and media agencies.
Directly identifying information (DII): Directly identifying information, or DII, is information that directly identifies an individual, including name, email address, or phone number.; UID2 supports email address and phone number, and translates the DII to a value that can be used for the purpose of targeted advertising but cannot by itself be traced back to the original value.
Docker: Docker is a Platform as a Service (PaaS) suite of products that is used for automating the deployment of software via packages called containers. The set of Docker products allows packaging of an application, with all its dependencies, into a virtual container that can run on most operating systems so that applications can work efficiently in different environments.; For details, see https://www.docker.com.

E

Enclave: An enclave is a secure subsection of a computing environment. The enclave has additional business logic and security measures applied to it, to prevent anyone from tampering with it.; In the context of UID2, a Private Operator must run inside an enclave. For a summary of the enclave versions supported, see Hosting Options for Private Operators in UID2 Private Operator Integration Overview.; In an enclave, the operator image must be a very specific, predefined version, and additional constraints are applied to ensure security.
Encryption key: Each UID2 token is encrypted using an encryption key that's unique to the publisher that requested the token. The key identifies the publisher and is required for decrypting the token. This helps ensure that UID2 tokens cannot be decrypted by unauthorized individuals.
Environment: UID2 offers two environments: an integration environment for testing, and a production environment.; If you're using both, you'll need to get a separate set of credentials for each environment.; For details, see Environments.
EUID framework: The European Unified ID (EUID) framework enables deterministic identity for advertising opportunities on the open internet for many participants across the advertising ecosystem. It enables publisher websites, mobile apps, and Connected TV (CTV) apps to monetize through programmatic workflows. Built as an open-source, standalone solution with its own unique namespace, the framework offers privacy controls designed to help participants meet local market requirements.; EUID operates in the European region, including many European countries, such as France, Italy, and Spain, some non-European countries, such as Iceland, and some other regions, such as the Azores, Martinique, and the United Kingdom. It was designed with EU privacy law compliance in mind.; There are many similarities between UID2 and EUID, but they are completely separate, and their tokens are not interchangeable.; For details, see European Unified ID Overview.

F

First-level hash: In the context of UID2, the first-level hash is the anonymized, opaque, secure value from which the raw UID2, UID2 token, and refresh token are generated. Several cryptographic functions, including salting and hashing, are applied to the initial value, whether an email or a phone number, to create the first-level hash.

G

GDPR: The GDPR, or General Data Protection Regulation, is a European privacy and security law that regulates how organizations target or collect data related to residents of the European Union.

H

Hash: A hash function converts a set of data of varying/arbitrary size to a set of data of fixed size. The result of the hash function is called a hash, digest, or hash value.; Hashing is a one-way function. The same input value, hashed, always yields the same output value, but there is no corresponding function to take the output value and arrive at the input value. Hashing is a security measure.; UID2 uses the SHA-256 hashing algorithm.

I

Identity: In the context of UID2, the term "identity" refers to a package of values that includes the UID2 token, the refresh token, and associated values such as timestamps. This set of values is returned in the response from the POST /token/generate endpoint and also from the POST /token/refresh endpoint.
Integration approaches: UID2 integrations can be entirely on the client side, entirely on the server side, or partially on the client side and partially on the server side (client-server).

J

JSON Web Token (JWT): A JSON Web Token (JWT) is a compact, URL-safe means of representing claims (pieces of information) to be sent from one party to another over the web. The claims in a JWT are encoded as a JSON object that is used either as the payload of a JSON Web Signature (JWS) structure or as the plain text of a JSON Web Encryption (JWE) structure. This enables the claims to be digitally signed and/or encrypted.

K

Key: See Encryption key.

N

Normalize: To normalize a data set means to bring it to a standard condition or state.; UID2 includes specific normalization rules. For details, see Email Address Normalization and Phone Number Normalization.

O

OpenID Connect (OIDC): OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol that allows the client to verify the identity of an end-user based on authentication by an authorization server.; For details, see OpenID Connect Basic Client Implementer's Guide 1.0 - draft 40 (specification).
Opaque: When we say a UID2 token is an opaque string, we mean that the way that the token is computed, and its format, are not communicated to UID2 participants and cannot be relied upon to remain unchanged. No assumptions should be made about the format or length of the string, or any other aspect of it.
Open Operator: Open Operator is another term for a Public Operator.
Operator: An Operator is an organization or entity that runs the UID2 Operator Service. The UID2 Operator is the API server in the UID2 ecosystem.; Operators perform multiple functions, such as receiving encryption keys and secret salts from the UID2 Core Service, salting and hashing personal data (DII) to return raw UID2s, and encrypting raw UID2s to generate UID2 tokens.; A participant can also choose to become a Private Operator to access UID2 APIs and to generate raw UID2s and UID2 tokens from within a private infrastructure.; For details, see participants and The UID2 Operator.
Operator key: Each UID2 Private Operator has an operator key that allows the Private Operator Service to connect to the Core Service and Opt-Out Service and call some endpoints on it.; The operator key identifies the participant Operator to the UID2 service.
Operator Service: A service that enables all functions of the Operator.; For an overview of all the UID2 services, see UID2 Component Services.
Opt-out: An end user who participates in the UID2 ecosystem can opt out at any time by going to the Transparency and Control Portal.; For details about the UID2 opt-out workflow and how users can opt out, see User Opt-Out.
Opt-Out Service: The Opt-Out Service is a global UID2 service that manages and stores user opt-out requests.; For an overview of all the UID2 services, see UID2 Component Services.

P

Participant: An entity that fulfils a key role in UID2. Participants include the following: Core Administrator, Operator, DSP, data provider, advertiser, publisher, consumer.; For details, see participants.
Private Operator: A Private Operator is an entity that runs a private instance of the Operator Service. The Private Operator generates and manages UID2s for itself, using its own resources (such as hardware) in a secure environment.; For details, see The UID2 Operator.
Private Operator Service: A private instance of the Operator Service, run by a Private Operator.
Public key: For client-side publisher integrations, the public key is one of the two values issued to publishers to uniquely identify the account. For details, see Subscription ID and Public Key.; In UID2 integrations, this value is often represented as serverPublicKey: for example, in the UID2 Client-Side Integration Guide for Prebid.js, the Client-Side Integration Guide for JavaScript, and the UID2 Client-Side Integration Guide for Mobile.
Public Operator: A Public Operator is an entity that runs a public instance of the UID2 Operator Service. For example, The Trade Desk currently serves as a Public Operator for the UID2 framework, available to all participants.; For details, see The UID2 Operator.

R

Raw UID2: An unencrypted alphanumeric identifier created through the UID2 APIs or SDKs with the user's directly identifying information (email address or phone number) as input. The raw UID2 is encrypted to create a UID2 token. The raw UID2 is a unique value; no two raw UID2s are the same. Raw UID2s, and their associated UID2 tokens, are case sensitive.; For details, see UID2 Identifier Types.
Refresh token: A refresh token is an opaque string that is issued along with the UID2 token. It is used to refresh the UID2 token, which has a limited life.; When the UID2 server receives the refresh token with a request for a new UID2 token, it checks for user opt-out. If the user has opted out of UID2, no new UID2 token is generated.; When a new UID2 token is generated and returned in response to the refresh token, a new refresh token is returned along with it. However, if the user is inactive for a long period of time, the refresh token itself expires.; For details, see UID2 Tokens and Refresh Tokens.

S

Salt: A string of characters that is used in the process of transforming an email address or phone number into a secure, opaque value that cannot by itself be traced back to the original value (raw UID2 or UID2 token). Salt values are kept secret.; The UID2 service uses salt as part of the process, along with hashing and encryption, to secure the original value. Salt is added to the input value before hashing.
Salt bucket: A salt bucket is used to manage secret salt values, used to generate raw UID2s or UID2 tokens, over time. Each bucket contains a single current salt value, which remains active for approximately one year before being rotated to a new value. Buckets can be updated independently of one another.; There are just over one million salt buckets, and each email address or phone number is assigned to a specific bucket in a deterministic manner. However, this assignment is not permanent; it might change when the bucket's current salt is rotated to a new value.
Salt bucket ID: A salt bucket ID is a unique string of characters that identifies a specific salt bucket. The salt bucket ID can be used to check which salt buckets have recently had their salt values updated, indicating which emails or phone numbers need their raw UID2 values regenerated.; For an example of a salt bucket ID, see the response to the POST /identity/buckets endpoint: Decrypted JSON Response Format.
Salted hash: When a salt value is added to the input string before applying the hash function, the result is a salted hash. When the input value is salted before hashing, an attacker who has the hash cannot determine the input value by trying many possible inputs to arrive at the same output.
Secret: See client secret.
Secure Signals: A feature of Google Ad Manager. The secure signals feature (previously known as Encrypted Signals for Publishers, abbreviated to ESP) allows publishers to securely share signals with trusted third-party buying partners. It allows publishers to pass "encrypted" user IDs to bidders that are approved by Google, via Google Ad Manager and the Google Ad Manager Ad Exchange (AdX).; For details, see Share secure signals with your trusted partners (second section) and Share secure signals with bidders, both from Google.; For details about UID2 support of the Google secure signals feature, see Google Ad Manager Secure Signals Integration Guide.
Server-side integration: One of the UID2 integration approaches is to integrate entirely on the server side.; In a server-side integration, raw UID2s or UID2 tokens are generated and refreshed on the server.; For example, in a server-side integration, advertisers generate raw UID2s on the server side to be delivered for audience targeting, and publishers generate UID2 tokens on the server side for bidstream use.; An example of documentation for publisher server-side integration is Publisher Integration Guide, Server-Side.
SHA-256: SHA-256 is the secure hashing algorithm that UID2 uses.; SHA-256 (sometimes called SHA256) is part of the SHA-2 family of algorithms developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to succeed SHA-1. Each algorithm is named according to the number of bits in the output, so SHA-256 has 256 bits.; For details, see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf (specification).
Sharing (in UID2): In the context of UID2, sharing is a process for distributing raw UID2s, either directly or encrypted into UID2 tokens, from one UID2 sharing participant to another.; For details, see UID2 Sharing.
Sharing participant: For UID2, a sharing participant is a company that either has agreed to comply with the UID2 Participation Policy or fits within one of the exceptions, and that takes part in sharing, either as a sender or a receiver.; For details, see UID2 Sharing.
Single sign-on (SSO): SSO is an acronym for Single sign-on. SSO allows a user to log in with the same credentials (usually, but not always, ID and password) to one of several software systems, such as apps or websites. SSO allows the user to log in once to multiple applications or sites using one set of credentials. With SSO, websites/apps do not have to maintain their own authentication systems.
SSO: See Single sign-on (SSO).
Subscription ID: For client-side publisher integrations, the Subscription ID is one of the two values issued to publishers to uniquely identify the account. For details, see Subscription ID and Public Key.

T

Token refresh: When a UID2 participant requests a UID2 token, the token is returned with a set of associated values, including a refresh token and timestamps for the UID2 token and the refresh token. As long as the refresh token has not expired, the publisher can use it to request a fresh UID2 token without having to send DII.; Any UID2 participant that requests a UID2 token must have a process in place for keeping the token valid: either monitoring the refresh period and requesting a new UID2 token before the refresh token expires, or requesting a new UID2 token each time, which requires sending DII.; In most cases, token refresh is managed by an SDK or other implementation strategy such as a Prebid.js implementation.; If the refresh token expires, the publisher must re-request a UID2 token by sending DII.; For details, see UID2 Tokens and Refresh Tokens.
Tokenized sharing: Tokenized sharing means encrypting DII or Raw UID2s into UID2 tokens and sharing the tokens with authorized recipients. Using UID2 tokens helps protect raw UID2s end-to-end between the sender and receiver of the data, including when the data passes through unauthorized parties. Tokenized sharing is required for sharing in the bidstream or via pixels, but you can use it in any sharing use case.; For details, see Tokenized Sharing Overview.
Transparency and Control Portal: The UID2 Transparency and Control Portal is a user-facing website, https://www.transparentadvertising.com/, that allows consumers to opt out of UID2 at any time.

U

UID: UID is a general term used to encompass both UID2 and EUID.; Since there are code components that support both UID2 and EUID, such as the server-side SDKs, the term UID is used as an umbrella term.; There are many similarities between UID2 and EUID, but they are completely separate, and their tokens are not interchangeable.
UID2 framework: The Unified ID 2.0 (UID2) framework enables deterministic identity for advertising opportunities on the open internet for many participants across the advertising ecosystem. It enables publisher websites, mobile apps, and Connected TV (CTV) apps to monetize through programmatic workflows. Built as an open-source, standalone solution with its own unique namespace, the framework offers privacy controls designed to help participants meet local market requirements.; UID2 operates in North America, parts of Asia, and some other regions.; There are many similarities between UID2 and EUID, but they are completely separate, and their tokens are not interchangeable.
UID2 identifier: There are two Unified ID 2.0 (UID2) identifier types: raw UID2s and UID2 tokens (also known as advertising tokens).; For details, see UID2 Identifier Types.
UID2 Portal: The UID2 Portal is a separate user interface that allows UID2 participants to manage their accounts.; For details, see UID2 Portal: Overview.
UID2 Service: The Unified ID 2.0 (UID2) service is a set of components, API endpoints, and other types of solutions that collectively implement the UID2 framework and provide clients with access to the relevant UID2 functionality.; The term "UID2 service" is also used to mean the UID2 Operator Service.
UID2 Token (Advertising Token): A Unified ID 2.0 (UID2) token, also called an advertising token, is an encrypted form of a raw UID2.; UID2 tokens are generated from hashed or unhashed email addresses or phone numbers that are converted to raw UID2s and then encrypted. The UID2 token is a unique value; no two UID2 tokens are the same. UID2 tokens are case sensitive.; The token value is opaque: No assumptions should be made about the format or about the length of the string.; The token has a limited life, but can be refreshed in the background using the refresh token.; Publishers send UID2 tokens in the bidstream.; For details, see UID2 Identifier Types, UID2 Tokens: Key Information, and How the UID2 Token Is Created.
Unified ID 2.0: The term UID2 can be used to mean the UID2 framework, the UID2 service, a raw UID2, or a UID2 token (advertising token).
Unix time: Unix time, also called Epoch time, is defined as the number of seconds since 00:00:00 UTC on Thursday, 1 January 1970. Unix time is used in some UID2 response messages, expressed in milliseconds: for example, in the response to the POST /token/refresh endpoint (see Successful Response With Tokens).; Example: 1 January 2024, 9:00:00 AM GMT, expressed in Unix time, is 1704067200. In milliseconds it is: 1704067200000.
UTC: UTC is an abbreviation for Coordinated Universal Time, also called Zulu time, which is the primary time standard in general use. UTC essentially equates to Greenwich Mean Time (GMT), but is more scientifically precise.

A​

B​

C​

D​

E​

F​

G​

H​

I​

J​

K​

N​

O​

P​

R​

S​

T​

U​

A

B

C

D

E

F

G

H

I

J

K

N

O

P

R

S

T

U