diff --git a/docs/endpoints/post-identity-buckets.md b/docs/endpoints/post-identity-buckets.md index 66c5045ff..6b990fe91 100644 --- a/docs/endpoints/post-identity-buckets.md +++ b/docs/endpoints/post-identity-buckets.md @@ -9,7 +9,7 @@ import Link from '@docusaurus/Link'; # POST /identity/buckets -Monitors rotated salt buckets. +Monitors rotated salt buckets. Used by: This endpoint is used mainly by advertisers and data providers. For details, see [Advertiser/Data Provider Integration Guide](../guides/advertiser-dataprovider-guide.md). diff --git a/docs/endpoints/post-identity-map.md b/docs/endpoints/post-identity-map.md index 168eac509..183d59fb9 100644 --- a/docs/endpoints/post-identity-map.md +++ b/docs/endpoints/post-identity-map.md @@ -9,7 +9,7 @@ import Link from '@docusaurus/Link'; # POST /identity/map -Maps multiple email addresses, phone numbers, or their respective hashes to their raw UID2s and salt bucket IDs. You can also use this endpoint to check for updates to opt-out information. +Maps multiple email addresses, phone numbers, or their respective hashes to their raw UID2s and salt bucket IDs. You can also use this endpoint to check for updates to opt-out information. Used by: This endpoint is used mainly by advertisers and data providers. For details, see [Advertiser/Data Provider Integration Guide](../guides/advertiser-dataprovider-guide.md). diff --git a/docs/endpoints/post-optout-status.md b/docs/endpoints/post-optout-status.md index 1185272de..492b8aa62 100644 --- a/docs/endpoints/post-optout-status.md +++ b/docs/endpoints/post-optout-status.md @@ -24,7 +24,7 @@ For details, refer to the following documentation, depending on your role: The key guidelines for managing batches of requests to this endpoint are as follows: - To check the opt-out status of a large number of UID2s, send them in sequential batches with a maximum batch size of 5,000 items per batch. -- Unless you are using a Private Operator, do not send batches in parallel. In other words, use a single HTTP connection and send batches of raw UID2s consecutively, without creating multiple parallel connections. +- Unless you are using a Private Operator, do not send batches in parallel. In other words, use a single HTTP connection and send batches of raw UID2s consecutively, without creating multiple parallel connections. ## Request Format diff --git a/docs/getting-started/gs-faqs.md b/docs/getting-started/gs-faqs.md index 19c009895..6a3d4ec47 100644 --- a/docs/getting-started/gs-faqs.md +++ b/docs/getting-started/gs-faqs.md @@ -20,6 +20,7 @@ Here are some frequently asked questions regarding the UID2 framework. - [Can users opt out of targeted advertising tied to their UID2 identity?](#can-users-opt-out-of-targeted-advertising-tied-to-their-uid2-identity) - [When I send DII to UID2, does UID2 store the information?](#when-i-send-dii-to-uid2-does-uid2-store-the-information) - [Does UID2 allow the processing of HIPAA-regulated data?](#does-uid2-allow-the-processing-of-hipaa-regulated-data) +- [Should I use a Public Operator or a Private Operator?](#should-i-use-a-public-operator-or-a-private-operator) :::note For FAQs relating to mobile publisher integrations, see [FAQs for Mobile Integrations](../guides/integration-mobile-overview.md#faqs-for-mobile-integrations). @@ -43,6 +44,16 @@ In addition, in almost all cases, UID2 doesn't store any values at all once the No. UID2 participants must not generate UID2s from Protected Health Information, as defined by the Health Insurance Portability and Accountability Act (HIPAA), even if they have obtained consent to engage in marketing with respect to such data. +#### Should I use a Public Operator or a Private Operator? + +For most participants, Public Operator is the simplest solution. A Public Operator integration is a much easier option than hosting your own Private Operator. Having a Private Operator instance has some advantages, but adds extra complexities and costs. + +The best choice depends on your unique scenario and needs. For more information to help you arrive at a decision, refer to the following: + +1. [The UID2 Operator](../ref-info/ref-operators-public-private.md) + +1. [UID2 Private Operator Integration Overview](../guides/integration-options-private-operator.md) + ## FAQs for Publishers Here are some frequently asked questions for publishers using the UID2 framework. @@ -144,7 +155,7 @@ Here are some frequently asked questions for advertisers and data providers usin #### How do I know when to refresh the UID2 due to salt bucket rotation? -Metadata supplied with the UID2 generation request indicates the salt bucket used for generating the UID2. Salt buckets persist and correspond to the underlying DII used to generate a UID2. Use the [POST /identity/buckets](../endpoints/post-identity-buckets.md) endpoint to return which salt buckets rotated since a given timestamp. The returned rotated salt buckets inform you which UID2s to refresh. +Metadata supplied with the UID2 generation request indicates the salt bucket used for generating the UID2. Salt buckets persist and correspond to the underlying DII used to generate a UID2. Use the [POST /identity/buckets](../endpoints/post-identity-buckets.md) endpoint to return which salt buckets rotated since a given timestamp. The returned rotated salt buckets inform you which UID2s to refresh. :::note We do not make any promises about when the rotation takes place. To stay as up-to-date as possible, we recommend doing the checks once per hour. @@ -172,8 +183,8 @@ The system should follow the [email normalization rules](gs-normalization-encodi Yes. Not storing mappings may increase processing time drastically when you have to map millions of email addresses or phone numbers. Recalculating only those mappings that actually need to be updated, however, reduces the total processing time because only about 1/365th of UID2s need to be updated daily. -:::info -Unless you are using a Private Operator, you must map email addresses, phone numbers, or hashes consecutively, using a single HTTP connection, in batches of 5,000 emails at a time. In other words, do your mapping without creating multiple parallel connections. +:::important +Unless you are using a Private Operator, you must map email addresses, phone numbers, or hashes consecutively, using a single HTTP connection, with a maximum batch size of 5,000 items per batch. In other words, do your mapping without creating multiple parallel connections. ::: #### How should I handle user opt-outs? @@ -196,7 +207,7 @@ For more information, see [Monitor for salt bucket rotations related to your sto Yes, if the request is for a raw UID2. As covered in the previous FAQ, [Does the same DII always result in the same raw UID2?](#does-the-same-dii-always-result-in-the-same-raw-uid2), if an advertiser or data provider sends the same DII to the UID2 Operator, by using an SDK or the [POST /identity/map](../endpoints/post-identity-map.md) endpoint, at the same time, the same raw UID2 is created. -The result is the same, regardless of the operator and whether it's a Private Operator or a Public Operator. +The result is the same, regardless of the Operator and whether it's a Private Operator or a Public Operator. The timing is important only because of salt bucket rotation. If the salt value changes between one request and another, the result is a different raw UID2. diff --git a/docs/getting-started/gs-normalization-encoding.md b/docs/getting-started/gs-normalization-encoding.md index dca6221fd..927663328 100644 --- a/docs/getting-started/gs-normalization-encoding.md +++ b/docs/getting-started/gs-normalization-encoding.md @@ -28,7 +28,7 @@ UID2 supports the following types of directly identifying information (DII): ## Email Address Normalization -If you send unhashed email addresses to the UID2 Operator Service, the service normalizes the email addresses and then hashes them. If you want to hash the email addresses yourself before sending them, you must normalize them before you hash them. +If you send unhashed email addresses to the UID2 Operator Service, the service normalizes the email addresses and then hashes them. If you want to hash the email addresses yourself before sending them, you must normalize them before you hash them. :::important Normalizing before hashing ensures that the generated UID2 value will always be the same, so that the data can be matched. If you do not normalize before hashing, this might result in a different UID2, reducing the effectiveness of targeted advertising. diff --git a/docs/guides/advertiser-dataprovider-guide.md b/docs/guides/advertiser-dataprovider-guide.md index 31b436f59..997d951f8 100644 --- a/docs/guides/advertiser-dataprovider-guide.md +++ b/docs/guides/advertiser-dataprovider-guide.md @@ -13,7 +13,7 @@ import Link from '@docusaurus/Link'; This guide covers integration steps for organizations that collect user data and push it to other UID2 participants. Data collectors include advertisers, data on-boarders, measurement providers, identity graph providers, third-party data providers, and any other organizations that send data to other participants. -If you are using an Open Operator service hosted in the Snowflake Data Marketplace, see also [Snowflake Integration Guide](snowflake_integration.md). +If you are using a Public Operator service hosted in the Snowflake Data Marketplace, see also [Snowflake Integration Guide](snowflake_integration.md). ## Advertiser/Data Provider Routes to Use UID2 @@ -102,7 +102,7 @@ To keep your UID2-based audience information accurate and up to date, follow the It's important to honor user opt-out status. Here are two ways you can check that you have the latest opt-out information: -- The UID2 Operator Service distributes opt-out information to advertisers and data providers via the [POST /identity/map](../endpoints/post-identity-map.md) endpoint. +- The UID2 Operator Service distributes opt-out information to advertisers and data providers via the [POST /identity/map](../endpoints/post-identity-map.md) endpoint. - Advertisers and data providers can check the opt-out status of raw UID2s using the [POST /optout/status](../endpoints/post-optout-status.md) endpoint. diff --git a/docs/guides/integration-mobile-client-server.md b/docs/guides/integration-mobile-client-server.md index 44df42652..a8c1d2688 100644 --- a/docs/guides/integration-mobile-client-server.md +++ b/docs/guides/integration-mobile-client-server.md @@ -18,7 +18,7 @@ import ErrorResponseStates from '/docs/snippets/_mobile-docs-error-response-stat # UID2 Client-Server Integration Guide for Mobile -This guide is for mobile app publishers who want to integrate with UID2 by generating UID2 tokens server-side via a Public Operator or Private Operator and then passing the tokens and user identities into their mobile apps, which will in turn pass the tokens for bidstream use.   +This guide is for mobile app publishers who want to integrate with UID2 by generating UID2 tokens server-side via a Public Operator or Private Operator and then passing the tokens and user identities into their mobile apps, which will in turn pass the tokens for bidstream use.   This is called client-server integration because some integration steps are client-side and some are server-side. diff --git a/docs/guides/integration-options-private-operator.md b/docs/guides/integration-options-private-operator.md index 77854ede2..47db4414a 100644 --- a/docs/guides/integration-options-private-operator.md +++ b/docs/guides/integration-options-private-operator.md @@ -8,7 +8,7 @@ import Link from '@docusaurus/Link'; # UID2 Private Operator Integration Overview -UID2 participants that host their own Private Operator send their own first-party directly identifying information (DII) to their own, local UID2 Operator service, running in a private environment. +UID2 participants that host their own Private Operator send their own first-party directly identifying information (DII) to their own, local UID2 Operator service, running in a private environment. A Private Operator runs in an enclave—a virtual machine with additional security features to prevent unauthorized access, so that unauthorized individuals cannot download any configuration information or data from the virtual machine. @@ -16,6 +16,10 @@ Becoming a Private Operator includes several additional steps, and uses resource Learn about what the UID2 framework offers for Private Operators, including benefits, hosting options, documentation and other resources, and how to get started. +:::note +This page is about Private Operators. For information about Public Operators, or if you're not sure what the difference is or what an Operator is, see [The UID2 Operator](../ref-info/ref-operators-public-private.md). +::: + ## Private Operator Benefits Here are some of the intended benefits of participating in UID2 as a Private Operator: diff --git a/docs/guides/operator-guide-aws-marketplace.md b/docs/guides/operator-guide-aws-marketplace.md index d215ff8d5..9a98259cf 100644 --- a/docs/guides/operator-guide-aws-marketplace.md +++ b/docs/guides/operator-guide-aws-marketplace.md @@ -13,7 +13,7 @@ import AttestFailure from '/docs/snippets/_private-operator-attest-failure.mdx'; # UID2 Private Operator for AWS Integration Guide -The UID2 Operator is the API server in the UID2 ecosystem. For a Private Operator service running in AWS Marketplace, the UID2 Operator solution is enhanced with [AWS Nitro](https://aws.amazon.com/ec2/nitro/) Enclave technology. This is an additional security measure to help protect UID2 information from unauthorized access. +The UID2 Operator is the API server in the UID2 ecosystem. For a Private Operator service running in AWS Marketplace, the UID2 Operator solution is enhanced with [AWS Nitro](https://aws.amazon.com/ec2/nitro/) Enclave technology. This is an additional security measure to help protect UID2 information from unauthorized access. ## UID2 Private Operator for AWS diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index 6887b913c..bcf948d1f 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -12,7 +12,7 @@ import ReleaseMatrix from '/docs/snippets/_private-operator-release-matrix.mdx'; # UID2 Private Operator for Azure Integration Guide -This guide provides information for setting up the UID2 Operator Service in an instance of [Confidential Containers](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-containers), a confidential computing option from Microsoft Azure. Confidential Containers instances run in a hardware-backed Trusted Execution Environment (TEE) that provides intrinsic capabilities such as data integrity, data confidentiality, and code integrity. +The UID2 Operator is the API server in the UID2 ecosystem. This guide provides information for setting up the UID2 Operator Service as a Private Operator in an instance of [Confidential Containers](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-containers), a confidential computing option from Microsoft Azure. Confidential Containers instances run in a hardware-backed Trusted Execution Environment (TEE) that provides intrinsic capabilities such as data integrity, data confidentiality, and code integrity. When the Docker container for the UID2 Operator Confidential Containers instance starts up, it completes the attestation process that allows the UID2 Core Service to verify the authenticity of the Operator Service and the enclave environment that the Operator Service is running in. diff --git a/docs/guides/operator-private-gcp-confidential-space.md b/docs/guides/operator-private-gcp-confidential-space.md index 35be279ec..846ac69cc 100644 --- a/docs/guides/operator-private-gcp-confidential-space.md +++ b/docs/guides/operator-private-gcp-confidential-space.md @@ -12,7 +12,7 @@ import ReleaseMatrix from '/docs/snippets/_private-operator-release-matrix.mdx'; # UID2 Private Operator for GCP Integration Guide -This guide provides information for setting up the UID2 Operator Service in [Confidential Space](https://cloud.google.com/confidential-computing#confidential-space), a confidential computing option from [Google Cloud](https://cloud.google.com/docs/overview/) Platform. Confidential Space offers a secure enclave environment, known as a Trusted Execution Environment (TEE). +This guide provides information for setting up the UID2 Operator Service as a Private Operator instance in [Confidential Space](https://cloud.google.com/confidential-computing#confidential-space), a confidential computing option from [Google Cloud](https://cloud.google.com/docs/overview/) Platform. Confidential Space offers a secure enclave environment, known as a Trusted Execution Environment (TEE). :::note UID2 Private Operator for GCP is not supported in these areas: Europe, China. diff --git a/docs/guides/summary-guides.md b/docs/guides/summary-guides.md index 89ddb0b83..7cb1cd342 100644 --- a/docs/guides/summary-guides.md +++ b/docs/guides/summary-guides.md @@ -113,7 +113,7 @@ The following resources are available for DSPs integrating with UID2. ## Private Operator Service Integrations -The following resources are available for Private Operator integrations. +The following resources are available for Private Operator integrations. | Integration Guide | Content Description | | :--- | :--- | diff --git a/docs/intro.md b/docs/intro.md index fbab3ee44..93ceab8c4 100644 --- a/docs/intro.md +++ b/docs/intro.md @@ -38,7 +38,7 @@ The UID2 framework is built on the following technical principles: - **Distributed integration**: Multiple certified integration paths provide options for publishers, advertisers, and third-party data providers to manage and exchange UID2 tokens. -- **Decentralized storage**: The framework does not have a centralized storage for personal data mappings. All participants maintain only their own data. +- **Decentralized storage**: The framework does not have a centralized storage for personal data (DII) mappings. All participants maintain only their own data. - **Lean infrastructure**: The UID2 system is light and inexpensive to operate. @@ -75,7 +75,7 @@ The UID2 framework consists of the following components, all of which are curren | Component | Description | | :--- | :--- | | **Core Service** | A centralized service that manages access to salts, encryption keys, and other relevant data in the UID2 ecosystem. | -| **Operator Service** | A service that enables the management and storage of encryption keys and salts from the UID2 Core Service, hashing of users' personal data, encryption of raw UID2s, and decryption of UID2 tokens. There can be multiple instances of the service (public or private) operated by multiple [participants](#participants), known as operators.
Open operators run publicly available instances of the Operator Service and make them available to all relevant UID2 participants. There might also be private operators that run private instances of the Operator Service exclusively for their own use. All instances are designed with protections to keep critical UID2 data secure and interoperable, regardless of who operates the service. | +| **Operator Service** | A service that enables the management and storage of encryption keys and salts from the UID2 Core Service, hashing of users' personal data, encryption of raw UID2s, and decryption of UID2 tokens. There can be multiple instances of the service (public or private) operated by multiple [participants](#participants), known as operators.
Public Operators run publicly available instances of the Operator Service and make them available to all relevant UID2 participants. There might also be Private Operators that run private instances of the Operator Service exclusively for their own use. All instances are designed with protections to keep critical UID2 data secure and interoperable, regardless of who operates the service. | | **Opt-Out Service** | A global service that manages and stores user opt-out requests and disseminates them to publishers, operator service instances, and DSPs. | | **Transparency and Control Portal** | A user-facing website, [https://www.transparentadvertising.com/](https://www.transparentadvertising.com/), that allows consumers to opt out of UID2 at any time. | @@ -88,7 +88,7 @@ The following table lists the key participants and their roles in the UID2 [work | Participant | Role Description | | :--- | :--- | | **Core Administrator** | An organization (currently, The Trade Desk) that manages the UID2 Core Service and other [components](#components). For example, it distributes encryption keys and salts to UID2 operators and sends user opt-out requests to operators and DSPs. | -| **Operators** | Organizations that run the Operator Service (via the UID2 APIs). Operators receive and store encryption keys and salts from the UID2 Core Service, salt and hash directly identifying information (DII) to return raw UID2s, encrypt raw UID2s to generate UID2 tokens, and distribute UID2 token decryption keys.
Open operators run public instances of the Operator Service. For example, The Trade Desk currently serves as an open operator for the UID2 framework, available to all participants. If other open operators are available, a participant can choose which operator to work with.
Any participant can also choose to become a private operator to generate and manage UID2s. | +| **Operators** | Organizations that run the Operator Service (via the UID2 APIs). Operators periodically receive and store up-to-date encryption keys and salts from the UID2 Core Service, salt and hash directly identifying information (DII) to return raw UID2s, encrypt raw UID2s to generate UID2 tokens, and distribute UID2 token decryption keys.
Public Operators (Open Operators) run public instances of the Operator Service. For example, The Trade Desk currently serves as a Public Operator for the UID2 framework, available to all participants. If other Public Operators are available, a participant can choose which operator to work with.
Any participant can also choose to become a Private Operator to generate and manage UID2s. | | **DSPs** | DSPs integrate with the UID2 system to receive UID2s from advertisers (as first-party data) and third-party data providers (as third-party data) and leverage them to inform bidding on UID2s in the bidstream. | | **Data Providers** | Organizations that collect user data and push it to other UID2 participants—for example, advertisers, identity graph providers, and third-party data providers. | | **Advertisers** | Organizations that buy impressions across a range of publisher sites and use DSPs to decide which ad impressions to purchase and how much to bid on them. | diff --git a/docs/overviews/overview-publishers.md b/docs/overviews/overview-publishers.md index 4901beb15..b0a81addf 100644 --- a/docs/overviews/overview-publishers.md +++ b/docs/overviews/overview-publishers.md @@ -106,7 +106,7 @@ For a detailed summary of web integration options, see [Web Integration Overview |:-------------------------------------|:----------------------------------------------------------------------------------------------------| :--- | | Prebid (Overview) | [UID2 Integration Overview for Prebid](../guides/integration-prebid.md) | An overview of options for publishers who want to integrate with UID2 and generate UID2 tokens to be passed by Prebid.js or Prebid Mobile SDK in the RTB bidstream. | | Prebid.js Client-Side Integration | [UID2 Client-Side Integration Guide for Prebid.js](../guides/integration-prebid-client-side.md) | A guide for publishers who want to request UID2 tokens client-side, which is the easiest implementation approach, and choose to have Prebid.js manage the following: | -| Prebid.js Client-Server Integration | [UID2 Client-Server Integration Guide for Prebid.js](../guides/integration-prebid-client-server.md) | A guide for publishers who want to integrate with UID2 and generate UID2 tokens (advertising tokens) to be passed by Prebid.js in the RTB bidstream, but want to generate tokens server-side: for example, publishers who are using a Private Operator. | +| Prebid.js Client-Server Integration | [UID2 Client-Server Integration Guide for Prebid.js](../guides/integration-prebid-client-server.md) | A guide for publishers who want to integrate with UID2 and generate UID2 tokens (advertising tokens) to be passed by Prebid.js in the RTB bidstream, but want to generate tokens server-side: for example, publishers who are using a Private Operator. | | JavaScript (Overview) | [UID2 Integration Overview for JavaScript](../guides/integration-javascript.md) | An overview of options for publishers who want to integrate with UID2 using the JavaScript SDK. | | JavaScript Client-Side Integration | [Client-Side Integration Guide for JavaScript](../guides/integration-javascript-client-side.md) | A guide for publishers who want to integrate with UID2 using only client-side JavaScript changes, which is the easiest implementation approach.
The SDK for JavaScript manages token generation and token refresh automatically. | | JavaScript Client-Server Integration | [Client-Server Integration Guide for JavaScript](../guides/integration-javascript-client-server.md) | A publisher guide covering standard web integration scenarios that use the SDK for JavaScript and require tokens to be generated on the server side and passed to the publisher web pages. | diff --git a/docs/portal/api-keys.md b/docs/portal/api-keys.md index c9aa787ba..09b6dea7b 100644 --- a/docs/portal/api-keys.md +++ b/docs/portal/api-keys.md @@ -18,7 +18,7 @@ In the UID2 Portal, on the **API Keys** page, you can perform all activities rel ## Overview -The API key and client secret allow you to connect to the UID2 Operator Service and call API endpoints, directly or via one of the UID2 SDKs. These values identify you to the service. +The API key and client secret allow you to connect to the UID2 Operator Service and call API endpoints, directly or via one of the UID2 SDKs. These values identify you to the service. When you add an API key in the UID2 Portal, it's very important that you store the key and its corresponding secret securely and do everything necessary to make sure that these values are not compromised. For more information, see [API Key and Client Secret](../getting-started/gs-credentials.md#api-key-and-client-secret). diff --git a/docs/ref-info/glossary-uid.md b/docs/ref-info/glossary-uid.md index c4bb11028..18dd74a82 100644 --- a/docs/ref-info/glossary-uid.md +++ b/docs/ref-info/glossary-uid.md @@ -315,7 +315,7 @@ import Link from '@docusaurus/Link';
Operator
An Operator is an organization or entity that runs the UID2 Operator Service. The UID2 Operator is the API server in the UID2 ecosystem.
-
Operators perform multiple functions, such as receiving encryption keys and salts from the UID2 Core Service, salting and hashing personal data to return raw UID2s, and encrypting raw UID2s to generate UID2 tokens.
+
Operators perform multiple functions, such as receiving encryption keys and salts from the UID2 Core Service, salting and hashing personal data (DII) to return raw UID2s, and encrypting raw UID2s to generate UID2 tokens.
A participant can also choose to become a Private Operator to access UID2 APIs and to generate raw UID2s and UID2 tokens from within a private infrastructure.
For details, see participants and The UID2 Operator.
@@ -383,6 +383,14 @@ import Link from '@docusaurus/Link';
A string of characters that is used in the process of transforming an email address or phone number into a secure, opaque value that cannot by itself be traced back to the original value.
The UID2 service uses salt as part of the process, along with hashing and encryption, to secure the original value. Salt is added to the input value before hashing.
+
Salt bucket
+
A salt bucket is used to manage secret salt values over time. Each bucket contains a single current salt value, which remains active for approximately one year before being rotated to a new value. Buckets can be updated independently of one another.
+
There are just over one million salt buckets, and each email address or phone number is assigned to a specific bucket in a deterministic manner. However, this assignment is not permanent; it might change when the bucket's current secret salt is rotated to a new value.
+ +
Salt bucket ID
+
A salt bucket ID is a unique string of characters that identifies a specific Salt bucket. The salt bucket ID can be used to check which salt buckets have recently had their salt values updated, indicating which emails or phone numbers need their raw UID2 values regenerated.
+
For an example of a salt bucket ID, see the response to the `POST /identity/buckets` endpoint: Decrypted JSON Response Format.
+
Salted hash
When a salt value is added to the input string before applying the hash function, the result is a salted hash. When the input value is salted before hashing, an attacker who has the hash cannot determine the input value by trying many possible inputs to arrive at the same output.
diff --git a/docs/ref-info/ref-operators-public-private.md b/docs/ref-info/ref-operators-public-private.md index fa31a797d..e1465bb86 100644 --- a/docs/ref-info/ref-operators-public-private.md +++ b/docs/ref-info/ref-operators-public-private.md @@ -17,7 +17,14 @@ All instances of the Operator Service are designed with rigorous protections in There can be multiple instances of the Operator Service, operated by multiple participants. Each of these participants is known as a UID2 Operator. -A UID2 Operator is simply an organization that runs the Operator Service. Operators receive and store encryption keys and salts from the UID2 Core Service, salt and hash DII to return raw UID2s, encrypt raw UID2s to generate UID2 tokens, and distribute UID2 token decryption keys. +A UID2 Operator is an organization that runs the Operator Service. Operators periodically perform multiple tasks including the following: + +- Receive and store up-to-date encryption keys and salts from the UID2 Core Service. +- Salt and hash DII to return raw UID2s. +- Encrypt raw UID2s to generate UID2 tokens. +- Distribute UID2 token decryption keys to server-side SDKs (see [SDKs: Summary](../sdks/summary-sdks.md)). +- Download the latest user opt-out information from the UID2 Opt-Out Service. +- Support a number of UID2 endpoints. For details, see [UID2 Endpoints: Summary](../endpoints/summary-endpoints.md). UID2 Operators fall into two categories: @@ -60,6 +67,6 @@ For most participants, Public Operator is the simplest solution. The down side of the Private Operator option is that it requires ongoing engineering effort to build and maintain. Because a Private Operator instance is managed by the participant, there are continual updates and changes that are required and must be completed within a specified time frame. -A Public Operator integration is a much easier option than creating your own instance. There is no cost to the participant, and virtually no engineering work is needed other than initial setup and configuration. +A Public Operator integration is a much easier option than hosting your own instance. There is no cost to the participant, and virtually no engineering work is needed other than initial setup and configuration. For these reasons, we recommend choosing a Public Operator. diff --git a/docs/ref-info/ref-tokens.md b/docs/ref-info/ref-tokens.md index 15a54982f..7d5be26ac 100644 --- a/docs/ref-info/ref-tokens.md +++ b/docs/ref-info/ref-tokens.md @@ -43,7 +43,7 @@ Here are some key points about refresh tokens: - By using the UID2 Prebid.js module (see [UID2 Integration Overview for Prebid.js](../guides/integration-prebid.md)) - When a new UID2 token is generated and returned in response to the refresh token, a new refresh token is returned along with it. - In most cases, you can refresh tokens on the client side, even if the token was generated on the server side. For details about refresh functionality for the various SDKs, see [SDK Functionality](../sdks/summary-sdks.md#sdk-functionality) (*Refresh UID2 Token* column). -- When the UID2 Operator service receives the refresh token with a request for a new UID2 token, it checks for user opt-out. If the user has opted out of UID2, no new UID2 token is generated. For details, see [User Opt-Out](../getting-started/gs-opt-out.md). +- When the UID2 Operator Service receives the refresh token with a request for a new UID2 token, it checks for user opt-out. If the user has opted out of UID2, no new UID2 token is generated. For details, see [User Opt-Out](../getting-started/gs-opt-out.md). ### Recommended Token Refresh Frequency diff --git a/docs/sdks/sdk-ref-javascript.md b/docs/sdks/sdk-ref-javascript.md index 434d4d869..77c983323 100644 --- a/docs/sdks/sdk-ref-javascript.md +++ b/docs/sdks/sdk-ref-javascript.md @@ -577,7 +577,7 @@ window.__uid2.callbacks.push(callbackFunction); #### Take advantage of `setIdentity` and other new features -Previous versions of the SDK had only one way to provide a new identity: in the call to `init`. This meant that some publishers had to make use of various workarounds to provide a new identity later in the page lifecycle. You might be able to simplify your integration by removing these workarounds and simply calling `setIdentity` if you want to pass a new identity to the SDK after `init` has been called. +Previous versions of the SDK had only one way to provide a new identity: in the call to `init`. This meant that some publishers had to make use of various workarounds to provide a new identity later in the page lifecycle. You might be able to simplify your integration by removing these workarounds and just calling `setIdentity` if you want to pass a new identity to the SDK after `init` has been called. #### Change how you call init