Authentication
All requests must be authenticated using a bearer token in the standardAuthorization header:
principal_id. All subsequent operations within that request are scoped to that authenticated principal.
See Authentication for details on obtaining credentials and authentication methods.
The Principal Model
A Principal is defined by:principal_id(string): A unique identifier for the client (e.g.,"acme_corp").platform_mappings(object): Maps theprincipal_idto identifiers in ad serving platforms (e.g.,{"gam_advertiser_id": 12345}).
Data Isolation
Authentication provides the foundation for strict data isolation. Sales agents MUST enforce the following rules:- When an object like a
MediaBuyis created, it MUST be permanently associated with theprincipal_idfrom the authenticated request context. - For any subsequent request to read or modify that object, the server MUST verify that the
principal_idfrom the request matches theprincipal_idstored with the object. - If the IDs do not match, the server MUST return a permission denied error.
principal_id in the request body is not required or respected; the identity is based solely on the validated token.
Security Requirements
Required Security Measures
Sales agent implementations MUST:- Validate bearer tokens on every authenticated request
- Enforce principal-based data isolation
- Use TLS for all communications
- Log authentication failures for security monitoring
Recommended Security Measures
Sales agent implementations SHOULD:- Implement rate limiting per principal
- Support token expiration and refresh
- Provide audit logging for compliance
- Support IP allowlisting for high-security principals