EUID Glossary
This page defines some key terms used in the EUID documentation.
A
- Advertising ID
- Advertising ID is another term for a raw EUID.
- Advertising token
- Advertising token is another term for a EUID token.
- API key
- Each EUID participant using a server-side implementation has an API key (client key) and also a secret value associated with the key, called the client secret (API secret). The client secret is known only to the participant and the EUID service.
- For details, see EUID Credentials.
- API secret
- See client secret.
- App name
- In the context of mobile integrations, the app name is the Android application ID, the iOS app store ID, or the iOS bundle identifier.
- The Authorization header is a way to authenticate the client to the EUID service.
- For details, see 11.6.2. Authorization in RFC 9110, the HTTP specification.
B
- Bearer token
- A bearer token is a special string that identifies the client. For authentication, some EUID endpoints require the client key to be specified as a bearer token in the Authorization header of the request: for example, POST /token/generate.
- Bidstream
- To place a request for an ad to be placed in an advertising spot (bid request), the publisher sends different pieces of information, so that advertisers can bid on it, generally through an advertising exchange or DSP. The flow of bidding data is the bidstream.
- Bidstream data goes from publishers to other entities (depending on the publisher's configuration) and back to the publisher.
C
- Client key
- See API key.
- Client keypair
- For client-side publisher integrations, the Subscription ID and public key are the two values issued to publishers to uniquely identify the account. Client keypair is a term we use for these two values together.
- For details, see Subscription ID and Public Key.
- Client secret
- Each EUID participant using a server-side implementation has an API key (client key) and also a secret value associated with the key, called the client secret (API secret). The client secret is known only to the participant and the EUID service.
- For details, see EUID Credentials.
- Client-server integration
- One of the EUID integration approaches is to integrate partially on the client side and partially on the server side (client-server).
- For example, in a client-server integration for a publisher, the EUID token is generated on the server side and refreshed on the client side.
- Examples of documentation for publisher client-server integrations: Client-Server Integration Guide for Prebid.js, Client-Server Integration Guide for JavaScript.
- Client-side integration
- One of the EUID integration approaches is to integrate entirely on the client side.
- In a client-side integration, EUID tokens are generated and refreshed on the client side.
- For example, in a client-side integration, advertisers generate EUID tokens on the client side for tracking pixels, and publishers generate EUID tokens on the client side for bidstream use, as well as refreshing the tokens.
- Examples of documentation for publisher client-side integrations: EUID Client-Side Integration Guide for Prebid.js, Client-Side Integration Guide for JavaScript.
- Closed Operator
- Closed Operator is another term for a Private Operator.
- Core Service
- The EUID Core Service is a centralized service that manages access to salts, encryption keys, and other relevant data in the EUID ecosystem.
- For an overview of all the EUID services, see Components.
D
- Data provider
- In the context of EUID, a data provider is any entity that provides data and measurement services relating to advertising, such as a data partner, measurement partner, or offline measurement provider.
- For details, see participant (Data Providers).
- Demand-side platform
- A demand-side platform (DSP) provides services to companies that want to buy digital advertising, such as advertisers, brands, and media agencies.
E
- Enclave
- An enclave is a secure subsection of a computing environment. The enclave has additional business logic and security measures applied to it, to prevent anyone from tampering with it.
- In the context of EUID, a Private Operator must run inside an enclave. For a summary of the enclave versions supported, see Hosting Options for Private Operators in EUID Private Operator Integration Overview.
- In an enclave, the operator image must be a very specific, predefined version, and additional constraints are applied to ensure security.
- Encryption key
- Each EUID token is encrypted using an encryption key that's unique to the publisher that requested the token. The key identifies the publisher and is required for decrypting the token. This helps ensure that EUID tokens cannot be decrypted by unauthorized individuals.
- EUID framework
- The European Unified ID (EUID) framework enables deterministic identity for advertising opportunities on the open internet for many participants across the advertising ecosystem. It enables publisher websites, mobile apps, and Connected TV (CTV) apps to monetize through programmatic workflows. Built on the UID2 framework, EUID offers privacy controls designed to help participants meet market requirements.
- EUID operates in the European region, including many European countries, such as France, Italy, and Spain, some non-European countries, such as Iceland, and some other regions, such as the Azores, Martinique, and the United Kingdom. It was designed with EU privacy law compliance in mind.
- There are many similarities between UID2 and EUID, but they are completely separate, and their tokens are not interchangeable.
- EUID identifier
- There are two European Unified ID (EUID) identifier types: raw EUIDs and EUID tokens (also known as advertising tokens).
- For details, see EUID Identifier Types.
- EUID service
- The European Unified ID (EUID) service is a set of components, API endpoints, and other types of solutions that collectively implement the EUID framework and provide clients with access to the relevant EUID functionality.
- The term "EUID service" is also used to mean the EUID Operator Service.
- EUID token (advertising token)
- A European Unified ID (EUID) token, also called an advertising token, is an encrypted form of a raw EUID.
- EUID tokens are generated from hashed or unhashed email addresses that are converted to raw EUIDs and then encrypted. The EUID token is a unique value; no two EUID tokens are the same. EUID tokens are case sensitive.
- The token has a limited life, but can be refreshed in the background using the refresh token.
- Publishers send EUID tokens in the bidstream.
- For details, see EUID Identifier Types.
- European Unified ID
- The term EUID can be used to mean the EUID framework, the EUID service, a raw EUID, or a EUID token (advertising token).
F
- First-level hash
- In the context of EUID, the first-level hash is the anonymized, opaque, secure value from which the raw EUID, EUID token, and refresh token are generated. Several cryptographic functions, including salting and hashing, are applied to the initial email, to create the first-level hash.
H
- Hash
- A hash function converts a set of data of varying/arbitrary size to a set of data of fixed size. The result of the hash function is called a hash, digest, or hash value.
- Hashing is a one-way function. The same input value, hashed, always yields the same output value, but there is no corresponding function to take the output value and arrive at the input value. Hashing is a security measure.
- EUID uses the SHA-256 hashing algorithm.
I
- Identity
- In the context of EUID, the term "identity" refers to a package of values that includes the EUID token, the refresh token, and associated values such as timestamps. This set of values is returned in the response from the POST /token/generate endpoint and also from the POST /token/refresh endpoint.
- Integration approaches
- EUID integrations can be entirely on the client side, entirely on the server side, or partially on the client side and partially on the server side (client-server).
J
- JSON Web Token (JWT)
- A JSON Web Token (JWT) is a compact, URL-safe means of representing claims (pieces of information) to be sent from one party to another over the web. The claims in a JWT are encoded as a JSON object that is used either as the payload of a JSON Web Signature (JWS) structure or as the plain text of a JSON Web Encryption (JWE) structure. This enables the claims to be digitally signed and/or encrypted.
K
- Key
- See Encryption key.
N
- Normalize
- To normalize a data set means to bring it to a standard condition or state.
- EUID includes specific normalization rules. For details, see Email Address Normalization.
O
- Opaque
- When we say an EUID token is an opaque string, we mean that the way that the token is computed, and its format, are not communicated to EUID participants and cannot be relied upon to remain unchanged. No assumptions should be made about the format or length of the string, or any other aspect of it.
- Open Operator
- Open Operator is another term for a Public Operator.
- Operator
- An Operator is an organization or entity that runs the EUID Operator Service. The EUID Operator is the API server in the EUID ecosystem.
- Operators perform multiple functions, such as receiving encryption keys and salts from the EUID Core Service, salting and hashing personal data to return raw EUIDs, and encrypting raw EUIDs to generate EUID tokens.
- A participant can also choose to become a Private Operator to access EUID APIs and to generate raw EUIDs and EUID tokens from within a private infrastructure.
- For details, see participants and The EUID Operator.
- Operator key
- Each EUID Private Operator has an operator key that allows the Private Operator Service to connect to the Core Service and Opt-Out Service and call some endpoints on it.
- The operator key identifies the participant Operator to the EUID service.
- Operator Service
- A service that enables all functions of the Operator.
- For an overview of all the EUID services, see Components.
- Opt-out
- An end user who participates in the EUID ecosystem can opt out at any time by going to the Transparency and Control Portal.
- For details, see Components.
- Opt-Out Service
- The Opt-Out Service is a global EUID service that manages and stores user opt-out requests.
- For an overview of all the EUID services, see Components.
P
- Participant
- An entity that fulfils a key role in EUID. Participants include the following: Core Administrator, Operator, DSP, data provider, advertiser, publisher, consumer.
- For details, see participants.
- Personal data
- In general, personal data is information that relates to an identified or identifiable individual, including name, email address, or phone number.
- EUID supports email address, and translates the personal data to a value that can be used for the purpose of targeted advertising but cannot by itself be traced back to the original value.
- Private Operator
- A Private Operator is an entity that runs a private instance of the Operator Service. The Private Operator generates and manages EUIDs for itself, using its own resources (such as hardware) in a secure environment.
- For details, see The EUID Operator.
- Private Operator Service
- A private instance of the Operator Service, run by a Private Operator.
- Public key
- For client-side publisher integrations, the public key is one of the two values issued to publishers to uniquely identify the account. For details, see Subscription ID and Public Key.
- Public Operator
- A Public Operator is an entity that runs a public instance of the EUID Operator Service. For example, The Trade Desk currently serves as a Public Operator for the EUID framework, available to all participants.
- For details, see The EUID Operator.
R
- Raw EUID
- An unencrypted alphanumeric identifier created through the EUID APIs or SDKs with the user's personal data (email address) as input. The raw EUID is encrypted to create an EUID token. The raw EUID is a unique value; no two raw EUIDs are the same. Raw EUIDs, and their associated EUID tokens, are case sensitive.
- For details, see EUID Identifier Types.
- Refresh token
- A refresh token is an opaque string that is issued along with the EUID token. It is used to refresh the EUID token, which has a limited life.
- When the EUID server receives the refresh token with a request for a new EUID token, it checks for user opt-out. If the user has opted out of EUID, no new EUID token is generated.
- When a new EUID token is generated and returned in response to the refresh token, a new refresh token is returned along with it. However, if the user is inactive for a long period of time, the refresh token itself expires.
S
- Salt
- A string of characters that is used in the process of transforming an email address into a secure, opaque value that cannot by itself be traced back to the original value.
- The EUID service uses salt as part of the process, along with hashing and encryption, to secure the original value. Salt is added to the input value before hashing.
- Salted hash
- When a salt value is added to the input string before applying the hash function, the result is a salted hash. When the input value is salted before hashing, an attacker who has the hash cannot determine the input value by trying many possible inputs to arrive at the same output.
- Secret
- See client secret.
- Secure Signals
- A feature of Google Ad Manager. The secure signals feature (previously known as Encrypted Signals for Publishers, abbreviated to ESP) allows publishers to securely share signals with trusted third-party buying partners. It allows publishers to pass "encrypted" user IDs to bidders that are approved by Google, via Google Ad Manager and the Google Ad Manager Ad Exchange (AdX).
- For details, see Share secure signals with your trusted partners (second section) and Share secure signals with bidders, both from Google.
- For details about EUID support of the Google secure signals feature, see Google Ad Manager Secure Signals Integration Guide.
- Server-side integration
- One of the EUID integration approaches is to integrate entirely on the server side.
- In a server-side integration, raw EUIDs or EUID tokens are generated and refreshed on the server.
- For example, in a server-side integration, advertisers generate raw EUIDs on the server side to be delivered for audience targeting, and publishers generate EUID tokens on the server side for bidstream use.
- An example of documentation for publisher server-side integration is Publisher Integration Guide, Server-Side.
- SHA-256
- SHA-256 is the secure hashing algorithm that EUID uses.
- SHA-256 is part of the SHA-2 family of algorithms developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to succeed SHA-1. Each algorithm is named according to the number of bits in the output, so SHA-256 has 256 bits.
- For details, see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf (specification).
- Subscription ID
- For client-side publisher integrations, the Subscription ID is one of the two values issued to publishers to uniquely identify the account. For details, see Subscription ID and Public Key.
T
- Transparency and Control Portal
- The EUID Transparency and Control Portal is a user-facing website, https://www.transparentadvertising.eu/, that allows consumers to opt out of EUID at any time.
U
- UID
- UID is a general term used to encompass both UID2 and EUID.
- Since there are code components that support both UID2 and EUID, such as the server-side SDKs, the term UID is used as an umbrella term.
- There are many similarities between UID2 and EUID, but they are completely separate, and their tokens are not interchangeable.
- UID2 Framework
- The Unified ID 2.0 (UID2) framework enables deterministic identity for advertising opportunities on the open internet for many participants across the advertising ecosystem. It enables publisher websites, mobile apps, and Connected TV (CTV) apps to monetize through programmatic workflows.EUID offers privacy controls designed to help participants meet market requirements.
- UID2 operates in North America, parts of Asia, and some other regions.
- There are many similarities between UID2 and EUID, but they are completely separate, and their tokens are not interchangeable.
- For details, see Unified ID 2.0 Overview.
- Unix time
- Unix time, also called Epoch time, is defined as the number of seconds since 00:00:00 UTC on Thursday, 1 January 1970. Unix time is used in some EUID response messages, expressed in milliseconds: for example, in the response to the
POST /token/refresh
endpoint (see Successful Response With Tokens). - Example: 1 January 2024, 9:00:00 AM GMT, expressed in Unix time, is
1704067200
. In milliseconds it is:1704067200000
. - UTC
- UTC is an abbreviation for Coordinated Universal Time, also called Zulu time, which is the primary time standard in general use. UTC essentially equates to Greenwich Mean Time (GMT), but is more scientifically precise.