Skip to main content

Unified ID 2.0 Glossary

This page defines some key terms used in the UID2 documentation.

Advertising ID
Advertising ID is another term for a raw UID2.
Advertising token
Advertising token is another term for a UID2 token.
API key
Each UID2 participant using a server-side implementation has an API key (client key) and also a secret value associated with the key, called the client secret (API secret). The client secret is known only to the participant and the UID2 service.
For details, see UID2 Credentials.
API secret
See client secret.
Authorization header
The Authorization header is a way to authenticate the client to the UID2 service.
For details, see 11.6.2. Authorization in RFC 9110, the HTTP specification.
Bearer token
A bearer token is a special string that identifies the client. For authentication, some UID2 endpoints require the client key to be specified as a bearer token in the Authorization header of the request: for example, POST /token/generate.
Client key
See API key.
Client secret
Each UID2 participant using a server-side implementation has an API key (client key) and also a secret value associated with the key, called the client secret (API secret). The client secret is known only to the participant and the UID2 service.
For details, see UID2 Credentials.
Closed Operator
Closed Operator is another term for a Private Operator.
Core Service
The UID2 Core Service is a centralized service that manages access to salts, encryption keys, and other relevant data in the UID2 ecosystem.
For an overview of all the UID2 services, see Components.
Customer Data Platform (CDP)
A Customer Data Platform (CDP) is a prebuilt, packaged software system that creates a unified customer database that is accessible to other systems. The CDP centralizes customer data from multiple sources and makes the data available to other systems.
Data provider
In the context of UID2, a data provider is any entity that provides data and measurement services relating to advertising, such as a data partner, measurement partner, or offline measurement provider.
For details, see participant (Data Providers).
Demand-side platform (DSP)
A demand-side platform (DSP) provides services to companies that want to buy digital advertising, such as advertisers, brands, and media agencies.
directly identifying information (DII)
Directly identifying information, or DII, is information that directly identifies an individual, including name, email address, or phone number.
UID2 supports email address and phone number, and translates the DII to a value that can be used for the purpose of targeted advertising but cannot be traced back to the original value.
Docker is a Platform as a Service (PaaS) suite of products that is used for automating the deployment of software via packages called containers. The set of Docker products allows packaging of an application, with all its dependencies, into a virtual container that can run on most operating systems so that applications can work efficiently in different environments.
For details, see
An enclave is a secure subsection of a computing environment. The enclave has additional business logic and security measures applied to it, to prevent anyone from tampering with it.
In the context of UID2, a Private Operator must run inside an enclave or in a private environment. For a summary of the enclave versions supported, see Private Operator Service Integrations.
In an enclave, the operator image must be a very specific, predefined version, and additional constraints are applied to ensure security.
First-level hash
In the context of UID2, the first-level hash is the anonymized, opaque, secure value from which the raw UID2, UID2 token, and refresh token are generated. Several cryptographic functions, including salting and hashing, are applied to the initial value, whether an email or a phone number, to create the first-level hash.
A hash function converts a set of data of varying/arbitrary size to a set of data of fixed size. The result of the hash function is called a hash, digest, or hash value.
Hashing is a one-way function. The same input value, hashed, always yields the same output value, but there is no corresponding function to take the output value and arrive at the input value. Hashing is a security measure.
UID2 uses the SHA-256 hashing algorithm.
In the context of UID2, the term "identity" refers to a package of values that includes the UID2 token, the refresh token, and associated values such as timestamps. This set of values is returned in the response from the POST /token/generate endpoint and also from the POST /token/refresh endpoint.
JSON Web Token (JWT)
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims (pieces of information) to be sent from one party to another over the web. The claims in a JWT are encoded as a JSON object that is used either as the payload of a JSON Web Signature (JWS) structure or as the plain text of a JSON Web Encryption (JWE) structure. This enables the claims to be digitally signed and/or encrypted.
To normalize a data set means to bring it to a standard condition or state.
UID2 includes specific normalization rules. For details, see Email Address Normalization and Phone Number Normalization.
Open Operator
An open Operator is an entity that runs a public instance of the UID2 Operator Service. For example, The Trade Desk currently serves as an open Operator for the UID2 framework, available to all participants.
An Operator is an organization or entity that runs the UID2 Operator Service. The UID2 Operator is the API server in the UID2 ecosystem.
Operators perform multiple functions, such as receiving encryption keys and salts from the UID2 Core Service, salting and hashing personal data to return raw UID2s, and encrypting raw UID2s to generate UID2 tokens.
A participant can also choose to become a Private Operator to access UID2 APIs and to generate raw UID2s and UID2 tokens from within a private infrastructure.
For details, see participants.
Operator key
Each UID2 Private Operator has an operator key that allows the private Operator Service to connect to the Core Service and Opt-Out Service and call some endpoints on it.
The operator key identifies the participant Operator to the UID2 service.
Operator Service
A service that enables all functions of the Operator.
For an overview of all the UID2 services, see Components.
An end user who participates in the UID2 ecosystem can opt out at any time by going to the Transparency and Control Portal.
For details, see Components.
Opt-Out Service
The Opt-Out Service is a global UID2 service that manages and stores user opt-out requests.
For an overview of all the UID2 services, see Components.
An entity that fulfils a key role in UID2. Participants include the following: Core Administrator, Operator, DSP, data provider, advertiser, publisher, consumer.
For details, see participants.
Private Operator
A Private Operator is an entity that runs a private instance of the Operator Service. The Private Operator generates and manages UID2s for itself, using its own resources (such as hardware) in a secure environment.
Private Operator Service
A private instance of the Operator Service, run by a Private Operator.
Raw UID2
An unencrypted alphanumeric identifier created through the UID2 APIs or SDKs with the user's directly identifying information (email address or phone number) as input. The raw UID2 is encrypted to create a UID2 token. The raw UID2 is a unique value; no two raw UID2s are the same. Raw UID2s, and their associated UID2 tokens, are case sensitive.
For details, see UID2 Identifier Types.
Refresh token
A refresh token is an opaque string that is issued along with the UID2 token. It is used to refresh the UID2 token, which has a limited life.
When the UID2 server receives the refresh token with a request for a new UID2 token, it checks for user opt-out. If the user has opted out of UID2, no new UID2 token is generated.
When a new UID2 token is generated and returned, a new refresh token is returned along with it. However, if the user is inactive for a long period of time, the refresh token itself expires.
A string of characters that is used in the process of transforming an email address or phone number into a secure, opaque value that cannot be traced back to the original value.
The UID2 service uses salt as part of the process, along with hashing and encryption, to secure the original value. Salt is added to the input value before hashing.
Salted hash
When a salt value is added to the input string before applying the hash function, the result is a salted hash. When the input value is salted before hashing, an attacker who has the hash cannot determine the input value by trying many possible inputs to arrive at the same output.
See client secret.
Secure signals
A feature of Google Ad Manager. The secure signals feature (previously known as Encrypted Signals for Publishers, abbreviated to ESP) allows publishers to securely share signals with trusted third-party buying partners. It allows publishers to pass "encrypted" user IDs to bidders that are approved by Google, via Google Ad Manager and the Google Ad Manager Ad Exchange (AdX).
For details, see Share secure signals with your trusted partners (second section) and Share secure signals with bidders, both from Google.
For details about UID2 support of the Google secure signals feature, see Google Ad Manager Secure Signals Integration Guide.
SHA-256 is the secure hashing algorithm that UID2 uses.
SHA-256 is part of the SHA-2 family of algorithms developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to succeed SHA-1. Each algorithm is named according to the number of bits in the output, so SHA-256 has 256 bits.
For details, see (specification).
SSO is an acronym for Single Sign-On. SSO allows a user to log in with the same credentials (usually, but not always, ID and password) to one of several software systems, such as apps or websites. SSO allows the user to log in once to multiple applications or sites using one set of credentials. With SSO, websites/apps do not have to maintain their own authentication systems.
In the context of UID2, sharing is a process for distributing raw UID2s securely between UID2 participants. To protect raw UID2s from unauthorized access, the originating participant (sender) must encrypt the raw UID2s into UID2 tokens before transmission. The destination participant (receiver) must decrypt the UID2 tokens into raw UID2s for internal use.
For details, see UID2 Sharing: Overview.
sharing participant
In UID2, a sharing participant is a company that takes part in sharing—distributing raw UID2s securely between UID2 participants. A sharing participant can be a publisher, advertiser, DSP, or data provider, or might have more than one of these roles.
For details, see UID2 Sharing: Overview.
Transparency and Control Portal
The UID2 Transparency and Control Portal is a user-facing website,, that allows consumers to opt out of UID2 at any time.
UID2 framework
The Unified ID 2.0 (UID2) framework enables deterministic identity for advertising opportunities on the open internet for many participants across the advertising ecosystem. It enables logged-in experiences from publisher websites, mobile apps, and Connected TV (CTV) apps to monetize through programmatic workflows. Built as an open-source, standalone solution with its own unique namespace, the framework focuses on transparency and privacy.
UID2 identifier
There are two Unified ID 2.0 (UID2) identifier types: raw UID2s and UID2 tokens (also known as advertising tokens).
For details, see UID2 Identifier Types.
UID2 Portal
The UID2 Portal is a separate user interface that allows UID2 participants to manage their accounts.
For details, see UID2 Portal Overview.
UID2 service
The Unified ID 2.0 (UID2) service is a set of components, API endpoints, and other types of solutions that collectively implement the UID2 framework and provide clients with access to the relevant UID2 functionality.
The term "UID2 service" is also used to mean the UID2 Operator Service.
UID2 token (advertising token)
A Unified ID 2.0 (UID2) token, also called an advertising token, is an encrypted form of a raw UID2.
UID2 tokens are generated from hashed or unhashed email addresses or phone numbers that are converted to raw UID2s and then encrypted. The UID2 token is a unique value; no two UID2 tokens are the same. UID2 tokens are case sensitive.
The token has a limited life, but can be refreshed in the background using the refresh token.
Publishers send UID2 tokens in the bid stream.
For details, see UID2 Identifier Types.
Unified ID 2.0 (UID2)
The term UID2 can be used to mean the UID2 framework, the UID2 service, a raw UID2, or a UID2 token (advertising token).
UTC is an abbreviation for Coordinated Universal Time, also called Zulu time, which is the primary time standard in general use. UTC essentially equates to Greenwich Mean Time (GMT), but is more scientifically precise.