Skip to main content

POST /token/validate

Validate that an advertising token matches the specified hashed or unhashed email address.

Used by: This endpoint is used mainly by publishers.

NOTE: This endpoint is intended primarily for testing and troubleshooting new integrations.

Request Format

POST '{environment}/v2/token/validate'

IMPORTANT: You must encrypt all requests, using your secret key. For details and Python script examples, see Encrypting Requests and Decrypting Responses.

Path Parameters

Path ParameterData TypeAttributeDescription
{environment}stringRequiredTesting environment:
Production environment:
For a full list, including regional operators, see Environments.

NOTE: The integration environment and the production environment require different API keys.

Unencrypted JSON Body Parameters

  • Include only one of the following valid options, as listed in the Body Parameter table: email, email_hash. For the parameter you choose to test with, use the exact value listed.
  • Include the required body parameters as key-value pairs in the JSON body of a request when encrypting it.
Body ParameterData TypeAttributeDescription
tokenstringRequiredThe advertising token returned by the POST /token/generate response.
emailstringConditionally RequiredThe email address for token validation.
The only valid value is:
email_hashstringConditionally RequiredThe Base64-encoded SHA-256 hash of a normalized email address for token validation (
The only valid value is: ntI244ZRTXwAwpki6/M5cyBYW7h/Wq576lnN3l9+W/c=.

Request Examples

The following are unencrypted JSON request body examples for each parameter, which you need to include in your token validation requests:

NOTE: The advertising tokens in these examples are fictitious, for illustrative purposes only. The values provided are not real values.

"token": "AdvertisingTokenmZ4dZgeuXXl6DhoXqbRXQbHlHhA96leN94U1uavZVspwKXlfWETZ3b%2FbesPFFvJxNLLySg4QEYHUAiyUrNncgnm7ppu0mi6wU2CW6hssiuEkKfstbo9XWgRUbWNTM%2BewMzXXM8G9j8Q%3D",
"email": ""
"token": "AdvertisingTokenmZ4dZgeuXXl6DhoXqbRXQbHlHhA96leN94U1uavZVspwKXlfWETZ3b%2FbesPFFvJxNLLySg4QEYHUAiyUrNncgnm7ppu0mi6wU2CW6hssiuEkKfstbo9XWgRUbWNTM%2BewMzXXM8G9j8Q%3D",
"email_hash": "ntI244ZRTXwAwpki6/M5cyBYW7h/Wq576lnN3l9+W/c="

Here's an encrypted token validation request format with placeholder values:

echo '[Unencrypted-JSON-Request-Body]' \
| curl -X POST '' -H 'Authorization: Bearer [CLIENT_API_KEY]' -d @- \

Here's an encrypted token validation request example for an email hash:

echo '{"token": "AdvertisingTokenmZ4dZgeuXXl6DhoXqbRXQbHlHhA96leN94U1uavZVspwKXlfWETZ3b%2FbesPFFvJxNLLySg4QEYHUAiyUrNncgnm7ppu0mi6wU2CW6hssiuEkKfstbo9XWgRUbWNTM%2BewMzXXM8G9j8Q%3D", "email_hash": "tMmiiTI7IaAcPpQPFQ65uMVCWH8av9jw4cwf/F5HVRQ="}' \
| DELPabG/hsJsZk4Xm9Xr10Wb8qoKarg4ochUdY9e+Ow= \
| curl -X POST '' -H 'Authorization: Bearer YourTokenBV3tua4BXNw+HVUFpxLlGy8nWN6mtgMlIk=' -d @- \
| DELPabG/hsJsZk4Xm9Xr10Wb8qoKarg4ochUdY9e+Ow=

For details and Python script examples, see Encrypting Requests and Decrypting Responses.

Decrypted JSON Response Format


The response is encrypted only if the HTTP status code is 200. Otherwise, the response is not encrypted.

A successful decrypted response returns a boolean value that indicates the validation status of the specified advertising token, as shown in the following example:

"body": true,
"status": "success"

Body Response Properties

PropertyData TypeDescription
bodybooleanA value of true indicates that the email address or email address hash specified in the request is the same as the one used to generate the advertising token.
A value of false indicates any of the following:
- The request included an invalid advertising token.
- The email address or email address hash specified in the request is not one of the two valid values specified in the Unencrypted JSON Body Parameters table.

Response Status Codes

The following table lists the status property values and their HTTP status code equivalents.

StatusHTTP Status CodeDescription
success200The request was successful. The response will be encrypted.
client_error400The request had missing or invalid parameters.
unauthorized401The request did not include a bearer token, included an invalid bearer token, or included a bearer token unauthorized to perform the requested operation.

If the status value is anything other than success, the message field provides additional information about the issue.

Using POST /token/validate to Test

You can use this endpoint to test whether the personal data you are sending through POST /token/generate is valid. Follow these steps.

  1. Depending on whether the personal data is a hashed or unhashed email address, send a POST /token/generate request using one of the valid options listed in the Unencrypted JSON Body Parameters table—email or email_hash—with the corresponding value as listed in the table.

  2. Store the returned advertising_token value for use in the next step.

  3. Send a POST /token/validate request using the email or email_hash value that you sent in Step 1, with the advertising_token that you saved in Step 2 as the token property value.

  4. Check the response to the POST /token/validate request. The results indicate the success of your process, as follows:

    • A response of true indicates that the personal data you sent as a request in Step 1 matches the token you received in the response of Step 1.
    • A response of false indicates that there might be an issue with the way you are sending email addresses or their hashes.