Google Ad Manager Secure Signals Integration Guide
This guide covers integration steps for publishers using EUID with the Google Ad Manager secure signals feature (previously known as Encrypted Signals for Publishers, ESP).
To use the EUID Google Ad Manager secure signals integration, if you are using an SDK you must have your EUID integration already set up. This does not apply if you are using server-side integration. For a summary of all the integration options available, see EUID Integration Guides: Summary.
Overview
Google secure signals is a way for publishers to pass "encrypted" user IDs to bidders that are approved by Google, via Google Ad Manager and the Google Ad Manager Ad Exchange (AdX). The framework is an optional part of the Google Publisher Tag (GPT) library commonly used by publishers.
With this framework, the following steps occur:
- Publishers push user ID signals (advertising tokens) to the secure signals feature.
- The secure signals feature caches them on the client side and then transparently passes them to Google Ad Manager.
- Google Ad Manager uses the EUID tokens to make bid requests, forwarding the tokens to approved bidders within Google AdX based on the publisher's preferences.
Allow Secure Signals Sharing
For your Google Ad Manager account to be eligible to receive encrypted EUID tokens, you must make sure that encrypted signals are properly shared with third-party bidders on your Google Ad Manager account.
For details, see Share encrypted signals with bidders in the Google documentation, and then follow the steps in Use a third-party signal provider to switch on EUID as your signal provider.
When you're following the steps, in Select allowed secure signals, under Web Signal Deploy Option, choose Google Deploy. If you're using Prebid.js, see Optional: Enable Secure Signals in Prebid.js.
Optional: Enable Secure Signals in Prebid.js
If you want to use Secure Signals with Prebid.js, you must complete both these additional steps so that your EUIDs are correctly processed:
-
In Google Ad Manager, when you're making sure that encrypted signals are properly shared with third-party bidders: Choose the Prebid User ID Module, and then also choose Use your Prebid configuration to automatically configure your Secure signals settings. Before saving your configuration, double-check that you've selected the correct option.
-
In your Prebid.js setup: update the
encryptedSignalSources
section in your Prebid configuration, as shown in the following code:"encryptedSignalSources": {
"sources":[
{
"source":[
"uidapi.com"
],
"encrypt":false
}
]
}For details, see ESP Configurations in the Prebid documentation.
Publisher Integration
When an encrypted signal is cached, the secure signals feature does not execute the handler to generate a new signal. Because of this, it is necessary to clear the cache before and after data capture.
Since the secure signals feature does not provide a way to delete or invalidate a specific ID, publishers must call the window.googletag.secureSignalProviders.clearAllCache()
function to clear all shared encrypted signals as part of their data capture workflows.
The following is an example of calling the window.googletag.secureSignalProviders.clearAllCache()
function:
window.googletag = window.googletag || { cmd: [] };
window.googletag.cmd.push(function () {
window.googletag.secureSignalProviders =
window.googletag.secureSignalProviders || [];
window.googletag.secureSignalProviders.clearAllCache();
});
Server-Side Integration
So that it can share encrypted signals, the hosted auto-loaded secure signals script must be able to make an asynchronous call to the window.getEuidAdvertisingToken
function and, in response, receive advertising_token
as a string.
It's important to make sure that the identity token is fresh. For a server-side integration, we recommend making a call to the POST /token/refresh endpoint to get a fresh advertising token from the JSON response.
The following code is an example of how you could do this.
window.getEuidAdvertisingToken = async () => {
// Make a call to get a fresh identity token which could last for at least 12 hours.
const identity = await getFreshIdentity()
return JSON.parse(decodeURIComponent(identity)).advertising_token
}
For details, see Publisher Integration Guide, Server-Side.
SDK for JavaScript Client-Side Integration
If you're using the SDK for JavaScript version 3.4.5 or later, the EUID secure signals script uses the getAdvertisingTokenAsync
function provided in the SDK to get the fresh advertising token, and then pushes the token to Google Ad Manager.
This script is hosted on CDN, and GPT automatically loads it with the secure signals feature.
For details, see Client-Side Integration Guide for JavaScript.
A sample application is also available for integration using the SDK for JavaScript. See Sample application.
Troubleshooting
Here is some troubleshooting information that might help you in working with Google Secure Signals for your EUID integration:
I enabled Secure Signals within Google Ad Manager, but EUIDs are not being passed through Google
In some cases, after choosing Secure Signals within Google Ad Manager, successful EUIDs were not being passed through Google because the participant had an incorrect Web Signal Deployment Method configuration.
If your EUIDs are not being passed through Google, make sure that you chose the correct Web Signal Deployment Method during setup.
For details, see the Important note in Allow Secure Signals Sharing.