Skip to main content
Security best practices for implementing and using the Ad Context Protocol.
Critical for Production Use AdCP handles financial commitments and potentially sensitive campaign data. Implementations managing real advertising budgets MUST implement the security controls outlined in this document.

Overview

AdCP operates in a high-stakes environment where:
  • Financial transactions involve real advertising spend
  • Multi-party trust requires coordination between Principals, Publishers, and Orchestrators
  • Sensitive data includes first-party signals, pre-launch creatives, and competitive targeting strategies
  • Asynchronous operations span multiple systems and protocols
This document provides security requirements and best practices for AdCP implementations.

Threat Model

Understanding the specific threats that AdCP implementations face helps choose appropriate mitigations. Different authentication mechanisms address different threats.

Threat Categories

Domain Trust Assumption

AdCP, like most APIs, operates on the assumption that the domain you’re connecting to is controlled by the intended party. This is the domain trust assumption.
Critical: OAuth 2.0 does not protect against domain hijacking. If an attacker controls api.adplatform.com, they can complete OAuth authorization flows just as easily as they can accept bearer tokens. The client trusts the domain, regardless of authentication mechanism.
What OAuth provides:
  • Delegated access (user authorizes agent to act on their behalf)
  • Scoped permissions (limit what the token can do)
  • Token revocation without rotating credentials
  • Separation of authentication from authorization
What OAuth does NOT provide:
  • Protection against compromised domains
  • Verification that the server is the intended recipient
  • Protection against man-in-the-middle attacks (beyond what TLS provides)
Mitigations for domain trust threats:

Authentication Mechanism Selection

Choose authentication based on the threats you need to address:

Risk Classification

AdCP operations fall into three risk categories based on their potential impact:

High-Risk Operations (Financial)

These operations commit real advertising budgets and require strong controls: Requirements for High-Risk Operations:
  • Short-lived credentials (tokens expiring in ≤15 minutes)
  • Request signing for transaction integrity (see Request Signing)
  • Multi-factor authentication or approval workflows for large budgets
  • Spending limits and anomaly detection
  • Full audit trail with immutable logging
Authentication mechanism alone does not determine security level. A properly implemented bearer token system with short expiry, request signing, and spending limits provides stronger protection than a long-lived OAuth token without additional controls.

Medium-Risk Operations (Data Access)

These operations access sensitive business data:

Low-Risk Operations (Discovery)

These operations are publicly accessible to enable discovery:

Authentication & Authorization

AdCP does not mandate a specific authentication mechanism, allowing implementers to choose appropriate protocols for their use case. However, production implementations MUST enforce strong authentication and authorization.

Authentication Mechanisms

Recommended Approaches:
  • OAuth 2.0: Industry standard, supports scoped permissions and delegation
  • API Keys with HMAC: Simple, appropriate for server-to-server communication
  • Mutual TLS (mTLS): Strong cryptographic authentication for high-security environments
  • JWT Tokens: Stateless authentication with embedded claims
Implementation Requirements:
Security Standards:
  • Use cryptographically strong authentication mechanisms (minimum 128-bit security)
  • Never transmit credentials in URL parameters (use headers or request bodies)
  • Implement proper credential rotation procedures
  • Support credential revocation and audit logging

Authorization Model

Scoped Permissions: AdCP implementations should implement fine-grained authorization: Principal Isolation:
  • Each Principal MUST have separate credentials
  • Principal A cannot access or modify Principal B’s campaigns
  • Orchestrators managing multiple principals MUST enforce strict isolation
  • Implement row-level security in multi-tenant deployments
Publisher Verification:
  • Principals should verify publisher identity before committing budgets
  • Use trusted publisher registries or reputation systems when available
  • Log all publisher interactions for audit purposes

Credential Management

Storage Best Practices:
  • Use secure key management systems (AWS KMS, Azure Key Vault, HashiCorp Vault)
  • Never commit credentials to version control
  • Use environment variables or secret managers for deployment
  • Encrypt credentials at rest
Rotation Procedures:
  • Rotate credentials every 90 days minimum
  • Support graceful rotation (allow old and new credentials during transition)
  • Revoke compromised credentials immediately
  • Maintain audit log of all credential changes
For Orchestrators:

Transport Security

HTTPS Requirements:
  • All AdCP communications MUST use HTTPS with TLS 1.3+ (TLS 1.2 minimum)
  • Validate SSL certificates (no self-signed certificates in production)
  • Implement HTTP Strict Transport Security (HSTS) headers
  • Use secure cipher suites only (disable TLS 1.0/1.1)
Webhook Security:
Webhook Best Practices:
  • Always verify HMAC signatures on webhook payloads
  • Use HTTPS for all webhook endpoints
  • Implement webhook authentication (bearer tokens or mTLS)
  • Use short-lived, cryptographically random task IDs and context IDs
  • Consider webhook payload encryption for sensitive data

Bearer Token Risks

Bearer tokens are the industry standard for API authentication (Google Ads, Meta Marketing API, The Trade Desk, etc.). Understanding their specific risks helps implement appropriate mitigations. See Threat Model for context. Inherent Risks of Bearer Tokens: Mitigations:
Common Misconception: OAuth 2.0 does not protect against domain hijacking. See Domain Trust Assumption for why switching to OAuth doesn’t address this threat.
When to Add Request Signing: For financial operations, request signing provides transaction integrity regardless of authentication mechanism:
  • Proves the request wasn’t modified in transit
  • Binds the token to specific operation parameters
  • Provides non-repudiation for audit purposes

Request Signing for Financial Operations

Financial Transaction Safety

AdCP’s create_media_buy and update_media_buy tasks commit real advertising budgets. Implementations MUST implement controls to prevent financial loss from bugs, attacks, or operational errors.

Idempotency

Critical Requirement: All state-changing operations MUST support idempotency to prevent duplicate charges.
Implementation Guidelines:
  • Accept client-provided idempotency keys (UUIDs recommended)
  • Store idempotency keys with operation results for minimum 24 hours
  • Return identical response for duplicate requests within retention window
  • Use atomic database transactions to prevent race conditions

Budget Validation

Pre-Flight Checks:
Required Controls:
  • Validate budget values are positive, non-zero amounts
  • Check currency codes are valid ISO 4217 codes
  • Enforce account-level spending limits
  • Prevent budget increases beyond configured thresholds without additional approval
  • Validate budget is within product minimum/maximum if specified

Approval Workflows

High-Value Transaction Approval:
Implementation Patterns:
  • Define approval thresholds per principal or account
  • Support multi-step approval for high-value campaigns
  • Implement approval timeouts (auto-reject after N hours)
  • Provide audit trail of approval decisions
  • Support emergency override procedures with enhanced logging

Transaction Integrity

Atomic Operations:
Best Practices:
  • Use database transactions for multi-step financial operations
  • Implement retry logic with exponential backoff for transient failures
  • Log all financial operations immutably (append-only audit log)
  • Implement reconciliation processes to detect discrepancies
  • Support refunds and budget adjustments with full audit trail

Fraud Prevention

Anomaly Detection:
Fraud Prevention Measures:
  • Monitor for suspicious spending patterns (sudden spikes, unusual geos)
  • Implement velocity checks (campaigns per day, budget increase rate)
  • Maintain blocklists for compromised credentials
  • Use IP reputation services to detect bot traffic
  • Implement device fingerprinting for high-risk operations
  • Support fraud analyst review queues for flagged transactions

Reconciliation & Audit

Daily Reconciliation:
Audit Requirements:
  • Log all budget commitments, modifications, and refunds
  • Maintain immutable audit trail (append-only, tamper-evident)
  • Implement daily reconciliation processes
  • Support audit export for compliance purposes
  • Retain financial audit logs for minimum 7 years (or per regulatory requirements)

Data Protection

Creative Assets

Access Control:
  • Implement strict access controls on creative storage
  • Pre-launch campaigns may contain confidential or competitive information
  • Use signed URLs with expiration for creative preview links
  • Prevent unauthorized access through URL guessing (use UUIDs or signed tokens)
Content Security:
Security Measures:
  • Validate file types and sizes
  • Scan uploaded files for malware
  • Sanitize HTML creatives to prevent XSS attacks
  • Use content delivery networks (CDNs) with DDoS protection
  • Implement rate limiting on creative uploads
  • Watermark or fingerprint creatives to detect leaks

First-Party Signals

PII Protection:
  • First-party signals MAY contain personally identifiable information
  • Implementations MUST comply with GDPR, CCPA, and other privacy regulations
  • Signal descriptions should use aggregate, non-identifying language
  • Implement data minimization (collect only necessary signals)
Data Handling Requirements:
Privacy Best Practices:
  • Encrypt signals at rest and in transit
  • Implement data retention policies (auto-delete after N days)
  • Support data subject access requests (GDPR Article 15)
  • Support right to deletion (GDPR Article 17)
  • Provide transparency about data usage in privacy policies
  • Obtain proper user consent before collecting/using signals

Targeting Briefs

Competitive Intelligence Protection:
  • Targeting briefs may reveal competitive strategy
  • Implement appropriate access controls (principal isolation)
  • Log all access to targeting briefs for audit purposes
  • Consider brief anonymization for compliance review workflows
  • Prevent brief content from appearing in error messages or logs
Data Security:
  • Encrypt briefs at rest
  • Implement access logging and monitoring
  • Support time-limited access (briefs expire after campaign completion)
  • Provide secure deletion procedures

Multi-Party Trust Model

AdCP’s three-role architecture (Principal, Publisher, Orchestrator) introduces unique security considerations beyond typical client-server APIs.

Principal-Publisher Trust

Publisher Identity Verification:
Trust Establishment:
  • Principals should verify publisher identity before committing budgets
  • Use trusted publisher registries (e.g., IAB Tech Lab Ads.txt/Sellers.json)
  • Implement publisher reputation scoring
  • Support allowlists/blocklists at principal level
  • Log all publisher interactions for dispute resolution
Budget Protection:
  • Start with small test campaigns before large commitments
  • Monitor delivery quality and fraud indicators
  • Implement automated pause if fraud detected
  • Support refund/chargeback mechanisms for non-delivery

Orchestrator Security

Orchestrators manage credentials and operations for multiple principals, requiring enhanced security controls. Credential Isolation:
Required Controls:
  • Store each principal’s credentials separately (encrypted at rest)
  • Use least-privilege credentials (scoped to necessary operations only)
  • Implement strict data isolation (Principal A cannot access Principal B’s data)
  • Log all operations with principal identity
  • Support per-principal rate limiting
  • Implement audit trails for compliance
Multi-Tenancy Security:
  • Use row-level security in databases
  • Implement principal_id filtering in all queries
  • Prevent cross-principal data leakage in error messages
  • Separate compute resources per principal (or use sandboxing)
  • Monitor for privilege escalation attempts

Data Isolation Requirements

Campaign Data Isolation:
Isolation Boundaries:
  • Media buy records MUST be scoped to principal
  • Creative assets MUST be scoped to principal
  • Targeting briefs MUST be scoped to principal
  • Delivery reports MUST be scoped to principal
  • Signals MUST be scoped to appropriate audience (never cross-principal)
Testing Isolation:
Injection Prevention:
  • Use parameterized queries for all database operations (NEVER string concatenation)
  • Sanitize HTML creatives to prevent XSS
  • Validate URLs in webhook configurations
  • Use allow-lists for enum values (product IDs, currencies, format IDs)
  • Reject requests with unexpected fields (strict schema validation)
Resource Limits:

API Security Best Practices

CORS Configuration:
Security Headers:
Error Handling:

Rate Limiting & DDoS Protection

Rate Limiting Strategy

Implement multi-tiered rate limiting to prevent abuse while allowing legitimate usage. Per-Endpoint Limits:
Implementation:
Adaptive Rate Limiting:
Circuit Breaker Pattern:

Logging, Monitoring & Incident Response

Security Logging

Required Log Events:
Log Categories:
  1. Authentication Events: Login attempts, token validation, logout
  2. Authorization Events: Permission checks, access denials, privilege escalation attempts
  3. Financial Events: Budget commitments, spending thresholds, fraud alerts
  4. Data Access Events: Creative downloads, signal access, report generation
  5. Error Events: Exceptions, validation failures, system errors
Log Protection:
Log Retention:
  • Security logs: 90 days minimum (365 days recommended)
  • Financial logs: 7 years (compliance requirement)
  • Access logs: 30 days minimum
  • Error logs: 90 days

Monitoring & Alerting

Critical Alerts (immediate response required):
Security Metrics to Monitor:
Anomaly Detection:

Incident Response

Incident Response Plan: 1. Detection
  • Automated monitoring and alerting
  • Manual reports from users or partners
  • External security researcher reports
2. Assessment (within 1 hour)
  • Determine scope and severity
  • Identify affected principals and campaigns
  • Estimate potential financial impact
  • Classify incident (data breach, fraud, availability, etc.)
3. Containment (immediate)
4. Communication
  • Internal: Notify security team, engineering, management
  • External: Notify affected principals within 24 hours
  • Regulatory: File required breach notifications (GDPR 72 hours, CCPA 30 days)
  • Public: Issue security advisory if widely impacted
5. Recovery
  • Restore affected systems and data
  • Refund fraudulent transactions
  • Rebuild customer trust
  • Document incident timeline
6. Post-Incident Review
  • Root cause analysis
  • Update security controls
  • Improve monitoring and detection
  • Train team on lessons learned
  • Update incident response procedures
Communication Templates:

Compliance & Regulatory Considerations

AdCP implementations may need to comply with various regulations depending on jurisdiction, data handling practices, and business relationships.

Privacy Regulations

GDPR (General Data Protection Regulation):
  • Scope: Applies to processing personal data of EU residents
  • AdCP Context: First-party signals may constitute personal data
  • Requirements:
    • Lawful basis for processing (consent, legitimate interest, etc.)
    • Data subject rights (access, deletion, portability, rectification)
    • Data protection impact assessments for high-risk processing
    • Data breach notification (72 hours to supervisory authority)
    • Privacy by design and default
  • Documentation: Maintain records of processing activities
CCPA (California Consumer Privacy Act):
  • Scope: Applies to California residents’ personal information
  • AdCP Context: Consumer targeting and audience data
  • Requirements:
    • Consumer rights (know, delete, opt-out, non-discrimination)
    • Notice at collection
    • Privacy policy disclosures
    • Service provider agreements
    • Data breach notification (if unencrypted data exposed)
  • Special Considerations: “Sale” of personal information requires opt-out
Other Regulations:
  • COPPA: Children’s Online Privacy Protection Act (US) - special consent requirements for under-13 audience
  • PIPEDA: Personal Information Protection and Electronic Documents Act (Canada)
  • Data Localization: Some jurisdictions require data to be stored within borders (Russia, China, etc.)

Industry Self-Regulation

IAB Tech Lab Standards:
  • Ads.txt/App-ads.txt: Publisher authorization verification
  • Sellers.json: Supply chain transparency
  • TCF (Transparency & Consent Framework): GDPR consent management
Digital Advertising Alliance (DAA):
  • Self-regulatory principles for interest-based advertising
  • Consumer choice mechanisms (AdChoices icon)
  • Enhanced notice requirements
Network Advertising Initiative (NAI):
  • Code of Conduct for member companies
  • Opt-out mechanisms for interest-based advertising

Financial & Audit Compliance

SOC 2 (Service Organization Control 2):
  • Recommended for: Publishers and Orchestrators handling financial transactions
  • Trust Service Criteria: Security, availability, processing integrity, confidentiality, privacy
  • Type II: Audits effectiveness of controls over time (6-12 months)
PCI DSS (Payment Card Industry Data Security Standard):
  • Less common in programmatic advertising (indirect billing more typical)
  • Required if: Directly processing, storing, or transmitting cardholder data
  • Levels: Based on transaction volume
Financial Audit Requirements:
  • Maintain auditable financial records for minimum 7 years
  • Support reconciliation and dispute resolution
  • Provide transaction-level audit trails

Security Assessment & Testing

Recommended Security Assessments: Bug Bounty Programs: Consider running a bug bounty program to incentivize responsible vulnerability disclosure:
  • Define scope (in-scope vs. out-of-scope systems)
  • Set bounty amounts based on severity
  • Establish clear disclosure guidelines
  • Respond promptly to submissions

Security Implementation Checklist

For Publishers (AdCP Servers)

Authentication & Authorization:
  • Implement strong authentication (OAuth 2.0, API keys, or mTLS)
  • Support scoped permissions (read vs. write operations)
  • Enforce principal isolation in all database queries
  • Log all authentication and authorization events
Financial Controls:
  • Implement idempotency for create_media_buy and update_media_buy
  • Validate budget values and enforce spending limits
  • Support approval workflows for high-value transactions
  • Implement daily reconciliation processes
  • Maintain immutable financial audit logs (7+ years)
Data Protection:
  • Use TLS 1.3+ for all communications
  • Encrypt sensitive data at rest (creatives, signals, briefs)
  • Implement access controls on creative storage
  • Sanitize HTML creatives to prevent XSS
  • Verify webhook signatures cryptographically
Operational Security:
  • Implement rate limiting per principal and endpoint
  • Validate all input with strict schema validation
  • Use parameterized queries (prevent SQL injection)
  • Set appropriate security headers (HSTS, CSP, X-Frame-Options)
  • Never expose internal details in error messages
Monitoring & Incident Response:
  • Implement comprehensive security logging
  • Set up monitoring and alerting for anomalies
  • Develop and document incident response procedures
  • Conduct regular security drills
  • Establish communication channels for security incidents
Compliance:
  • Document data processing activities (GDPR Article 30)
  • Implement data subject rights (access, deletion, portability)
  • Establish data retention and deletion policies
  • Conduct DPIAs for high-risk processing
  • Consider SOC 2 audit for enterprise customers
Testing & Assessment:
  • Conduct annual penetration testing
  • Implement automated vulnerability scanning
  • Perform security code reviews before releases
  • Test principal isolation with security tests
  • Validate authentication bypass protections

For Principals (AdCP Clients)

Credential Security:
  • Store credentials in secure key management system (not code)
  • Rotate credentials every 90 days
  • Use least-privilege credentials (scoped to necessary operations)
  • Never log or expose credentials
  • Revoke credentials immediately if compromised
Budget Protection:
  • Start with small test campaigns with new publishers
  • Monitor spending against budgets in real-time
  • Implement alerts for unusual spending patterns
  • Validate publisher identity before large commitments
  • Maintain allowlists/blocklists for publishers
Data Security:
  • Use HTTPS for all AdCP communications
  • Validate responses from publishers (don’t trust blindly)
  • Encrypt targeting briefs if containing sensitive strategy
  • Implement access controls for campaign data
  • Log all AdCP interactions for audit purposes
Operational:
  • Handle errors gracefully (retry with exponential backoff)
  • Implement circuit breakers for failing publishers
  • Monitor API error rates and latency
  • Keep client libraries and dependencies updated
  • Validate webhook authenticity (if receiving async callbacks)

For Orchestrators (Multi-Principal Agents)

Credential Management:
  • Store each principal’s credentials separately (encrypted at rest)
  • Use key management service (AWS KMS, Azure Key Vault, etc.)
  • Never share credentials between principals
  • Implement credential rotation per principal
  • Support credential revocation
Data Isolation:
  • Enforce principal_id filtering in ALL queries
  • Use row-level security in databases
  • Prevent cross-principal data leakage in error messages
  • Implement security tests for isolation violations
  • Log all operations with principal identity
Operational Security:
  • Implement per-principal rate limiting
  • Support per-principal spending limits and approvals
  • Maintain separate audit logs per principal
  • Sandbox execution environments (optional but recommended)
  • Monitor for privilege escalation attempts
Compliance:
  • Act as data processor (not controller) for principals
  • Maintain data processing agreements with principals
  • Support data export and deletion requests
  • Provide transparency about data handling practices
  • Consider SOC 2 audit for enterprise orchestration services

Vulnerability Disclosure

For vulnerability disclosure policy and reporting procedures, see SECURITY.md in the AdCP repository. Quick Reference:
  • Report vulnerabilities to: security@adcontextprotocol.org
  • Expected response time: Within 72 hours
  • Public disclosure timeline: After fix is available (coordinated disclosure)

Security Resources

Standards & Frameworks: Industry Resources: Compliance Guides: Tools & Libraries: