Overview
AdCP operates in a high-stakes environment where:- Financial transactions involve real advertising spend
- Multi-party trust requires coordination between Principals, Publishers, and Orchestrators
- Sensitive data includes first-party signals, pre-launch creatives, and competitive targeting strategies
- Asynchronous operations span multiple systems and protocols
Threat Model
Understanding the specific threats that AdCP implementations face helps choose appropriate mitigations. Different authentication mechanisms address different threats.Threat Categories
Domain Trust Assumption
AdCP, like most APIs, operates on the assumption that the domain you’re connecting to is controlled by the intended party. This is the domain trust assumption. What OAuth provides:- Delegated access (user authorizes agent to act on their behalf)
- Scoped permissions (limit what the token can do)
- Token revocation without rotating credentials
- Separation of authentication from authorization
- Protection against compromised domains
- Verification that the server is the intended recipient
- Protection against man-in-the-middle attacks (beyond what TLS provides)
Authentication Mechanism Selection
Choose authentication based on the threats you need to address:Risk Classification
AdCP operations fall into three risk categories based on their potential impact:High-Risk Operations (Financial)
These operations commit real advertising budgets and require strong controls:
Requirements for High-Risk Operations:
- Short-lived credentials (tokens expiring in ≤15 minutes)
- Request signing for transaction integrity (see Request Signing)
- Multi-factor authentication or approval workflows for large budgets
- Spending limits and anomaly detection
- Full audit trail with immutable logging
Authentication mechanism alone does not determine security level. A properly implemented bearer token system with short expiry, request signing, and spending limits provides stronger protection than a long-lived OAuth token without additional controls.
Medium-Risk Operations (Data Access)
These operations access sensitive business data:Low-Risk Operations (Discovery)
These operations are publicly accessible to enable discovery:Authentication & Authorization
AdCP does not mandate a specific authentication mechanism, allowing implementers to choose appropriate protocols for their use case. However, production implementations MUST enforce strong authentication and authorization.Authentication Mechanisms
Recommended Approaches:- OAuth 2.0: Industry standard, supports scoped permissions and delegation
- API Keys with HMAC: Simple, appropriate for server-to-server communication
- Mutual TLS (mTLS): Strong cryptographic authentication for high-security environments
- JWT Tokens: Stateless authentication with embedded claims
- Use cryptographically strong authentication mechanisms (minimum 128-bit security)
- Never transmit credentials in URL parameters (use headers or request bodies)
- Implement proper credential rotation procedures
- Support credential revocation and audit logging
Authorization Model
Scoped Permissions: AdCP implementations should implement fine-grained authorization:
Principal Isolation:
- Each Principal MUST have separate credentials
- Principal A cannot access or modify Principal B’s campaigns
- Orchestrators managing multiple principals MUST enforce strict isolation
- Implement row-level security in multi-tenant deployments
- Principals should verify publisher identity before committing budgets
- Use trusted publisher registries or reputation systems when available
- Log all publisher interactions for audit purposes
Credential Management
Storage Best Practices:- Use secure key management systems (AWS KMS, Azure Key Vault, HashiCorp Vault)
- Never commit credentials to version control
- Use environment variables or secret managers for deployment
- Encrypt credentials at rest
- Rotate credentials every 90 days minimum
- Support graceful rotation (allow old and new credentials during transition)
- Revoke compromised credentials immediately
- Maintain audit log of all credential changes
Transport Security
HTTPS Requirements:- All AdCP communications MUST use HTTPS with TLS 1.3+ (TLS 1.2 minimum)
- Validate SSL certificates (no self-signed certificates in production)
- Implement HTTP Strict Transport Security (HSTS) headers
- Use secure cipher suites only (disable TLS 1.0/1.1)
- Always verify HMAC signatures on webhook payloads
- Use HTTPS for all webhook endpoints
- Implement webhook authentication (bearer tokens or mTLS)
- Use short-lived, cryptographically random task IDs and context IDs
- Consider webhook payload encryption for sensitive data
Bearer Token Risks
Bearer tokens are the industry standard for API authentication (Google Ads, Meta Marketing API, The Trade Desk, etc.). Understanding their specific risks helps implement appropriate mitigations. See Threat Model for context. Inherent Risks of Bearer Tokens:
Mitigations:
When to Add Request Signing:
For financial operations, request signing provides transaction integrity regardless of authentication mechanism:
- Proves the request wasn’t modified in transit
- Binds the token to specific operation parameters
- Provides non-repudiation for audit purposes
Request Signing for Financial Operations
Financial Transaction Safety
AdCP’screate_media_buy and update_media_buy tasks commit real advertising budgets. Implementations MUST implement controls to prevent financial loss from bugs, attacks, or operational errors.
Idempotency
Critical Requirement: All state-changing operations MUST support idempotency to prevent duplicate charges.- Accept client-provided idempotency keys (UUIDs recommended)
- Store idempotency keys with operation results for minimum 24 hours
- Return identical response for duplicate requests within retention window
- Use atomic database transactions to prevent race conditions
Budget Validation
Pre-Flight Checks:- Validate budget values are positive, non-zero amounts
- Check currency codes are valid ISO 4217 codes
- Enforce account-level spending limits
- Prevent budget increases beyond configured thresholds without additional approval
- Validate budget is within product minimum/maximum if specified
Approval Workflows
High-Value Transaction Approval:- Define approval thresholds per principal or account
- Support multi-step approval for high-value campaigns
- Implement approval timeouts (auto-reject after N hours)
- Provide audit trail of approval decisions
- Support emergency override procedures with enhanced logging
Transaction Integrity
Atomic Operations:- Use database transactions for multi-step financial operations
- Implement retry logic with exponential backoff for transient failures
- Log all financial operations immutably (append-only audit log)
- Implement reconciliation processes to detect discrepancies
- Support refunds and budget adjustments with full audit trail
Fraud Prevention
Anomaly Detection:- Monitor for suspicious spending patterns (sudden spikes, unusual geos)
- Implement velocity checks (campaigns per day, budget increase rate)
- Maintain blocklists for compromised credentials
- Use IP reputation services to detect bot traffic
- Implement device fingerprinting for high-risk operations
- Support fraud analyst review queues for flagged transactions
Reconciliation & Audit
Daily Reconciliation:- Log all budget commitments, modifications, and refunds
- Maintain immutable audit trail (append-only, tamper-evident)
- Implement daily reconciliation processes
- Support audit export for compliance purposes
- Retain financial audit logs for minimum 7 years (or per regulatory requirements)
Data Protection
Creative Assets
Access Control:- Implement strict access controls on creative storage
- Pre-launch campaigns may contain confidential or competitive information
- Use signed URLs with expiration for creative preview links
- Prevent unauthorized access through URL guessing (use UUIDs or signed tokens)
- Validate file types and sizes
- Scan uploaded files for malware
- Sanitize HTML creatives to prevent XSS attacks
- Use content delivery networks (CDNs) with DDoS protection
- Implement rate limiting on creative uploads
- Watermark or fingerprint creatives to detect leaks
First-Party Signals
PII Protection:- First-party signals MAY contain personally identifiable information
- Implementations MUST comply with GDPR, CCPA, and other privacy regulations
- Signal descriptions should use aggregate, non-identifying language
- Implement data minimization (collect only necessary signals)
- Encrypt signals at rest and in transit
- Implement data retention policies (auto-delete after N days)
- Support data subject access requests (GDPR Article 15)
- Support right to deletion (GDPR Article 17)
- Provide transparency about data usage in privacy policies
- Obtain proper user consent before collecting/using signals
Targeting Briefs
Competitive Intelligence Protection:- Targeting briefs may reveal competitive strategy
- Implement appropriate access controls (principal isolation)
- Log all access to targeting briefs for audit purposes
- Consider brief anonymization for compliance review workflows
- Prevent brief content from appearing in error messages or logs
- Encrypt briefs at rest
- Implement access logging and monitoring
- Support time-limited access (briefs expire after campaign completion)
- Provide secure deletion procedures
Multi-Party Trust Model
AdCP’s three-role architecture (Principal, Publisher, Orchestrator) introduces unique security considerations beyond typical client-server APIs.Principal-Publisher Trust
Publisher Identity Verification:- Principals should verify publisher identity before committing budgets
- Use trusted publisher registries (e.g., IAB Tech Lab Ads.txt/Sellers.json)
- Implement publisher reputation scoring
- Support allowlists/blocklists at principal level
- Log all publisher interactions for dispute resolution
- Start with small test campaigns before large commitments
- Monitor delivery quality and fraud indicators
- Implement automated pause if fraud detected
- Support refund/chargeback mechanisms for non-delivery
Orchestrator Security
Orchestrators manage credentials and operations for multiple principals, requiring enhanced security controls. Credential Isolation:- Store each principal’s credentials separately (encrypted at rest)
- Use least-privilege credentials (scoped to necessary operations only)
- Implement strict data isolation (Principal A cannot access Principal B’s data)
- Log all operations with principal identity
- Support per-principal rate limiting
- Implement audit trails for compliance
- Use row-level security in databases
- Implement principal_id filtering in all queries
- Prevent cross-principal data leakage in error messages
- Separate compute resources per principal (or use sandboxing)
- Monitor for privilege escalation attempts
Data Isolation Requirements
Campaign Data Isolation:- Media buy records MUST be scoped to principal
- Creative assets MUST be scoped to principal
- Targeting briefs MUST be scoped to principal
- Delivery reports MUST be scoped to principal
- Signals MUST be scoped to appropriate audience (never cross-principal)
- Use parameterized queries for all database operations (NEVER string concatenation)
- Sanitize HTML creatives to prevent XSS
- Validate URLs in webhook configurations
- Use allow-lists for enum values (product IDs, currencies, format IDs)
- Reject requests with unexpected fields (strict schema validation)
API Security Best Practices
CORS Configuration:Rate Limiting & DDoS Protection
Rate Limiting Strategy
Implement multi-tiered rate limiting to prevent abuse while allowing legitimate usage. Per-Endpoint Limits:Logging, Monitoring & Incident Response
Security Logging
Required Log Events:- Authentication Events: Login attempts, token validation, logout
- Authorization Events: Permission checks, access denials, privilege escalation attempts
- Financial Events: Budget commitments, spending thresholds, fraud alerts
- Data Access Events: Creative downloads, signal access, report generation
- Error Events: Exceptions, validation failures, system errors
- Security logs: 90 days minimum (365 days recommended)
- Financial logs: 7 years (compliance requirement)
- Access logs: 30 days minimum
- Error logs: 90 days
Monitoring & Alerting
Critical Alerts (immediate response required):Incident Response
Incident Response Plan: 1. Detection- Automated monitoring and alerting
- Manual reports from users or partners
- External security researcher reports
- Determine scope and severity
- Identify affected principals and campaigns
- Estimate potential financial impact
- Classify incident (data breach, fraud, availability, etc.)
- Internal: Notify security team, engineering, management
- External: Notify affected principals within 24 hours
- Regulatory: File required breach notifications (GDPR 72 hours, CCPA 30 days)
- Public: Issue security advisory if widely impacted
- Restore affected systems and data
- Refund fraudulent transactions
- Rebuild customer trust
- Document incident timeline
- Root cause analysis
- Update security controls
- Improve monitoring and detection
- Train team on lessons learned
- Update incident response procedures
Compliance & Regulatory Considerations
AdCP implementations may need to comply with various regulations depending on jurisdiction, data handling practices, and business relationships.Privacy Regulations
GDPR (General Data Protection Regulation):- Scope: Applies to processing personal data of EU residents
- AdCP Context: First-party signals may constitute personal data
- Requirements:
- Lawful basis for processing (consent, legitimate interest, etc.)
- Data subject rights (access, deletion, portability, rectification)
- Data protection impact assessments for high-risk processing
- Data breach notification (72 hours to supervisory authority)
- Privacy by design and default
- Documentation: Maintain records of processing activities
- Scope: Applies to California residents’ personal information
- AdCP Context: Consumer targeting and audience data
- Requirements:
- Consumer rights (know, delete, opt-out, non-discrimination)
- Notice at collection
- Privacy policy disclosures
- Service provider agreements
- Data breach notification (if unencrypted data exposed)
- Special Considerations: “Sale” of personal information requires opt-out
- COPPA: Children’s Online Privacy Protection Act (US) - special consent requirements for under-13 audience
- PIPEDA: Personal Information Protection and Electronic Documents Act (Canada)
- Data Localization: Some jurisdictions require data to be stored within borders (Russia, China, etc.)
Industry Self-Regulation
IAB Tech Lab Standards:- Ads.txt/App-ads.txt: Publisher authorization verification
- Sellers.json: Supply chain transparency
- TCF (Transparency & Consent Framework): GDPR consent management
- Self-regulatory principles for interest-based advertising
- Consumer choice mechanisms (AdChoices icon)
- Enhanced notice requirements
- Code of Conduct for member companies
- Opt-out mechanisms for interest-based advertising
Financial & Audit Compliance
SOC 2 (Service Organization Control 2):- Recommended for: Publishers and Orchestrators handling financial transactions
- Trust Service Criteria: Security, availability, processing integrity, confidentiality, privacy
- Type II: Audits effectiveness of controls over time (6-12 months)
- Less common in programmatic advertising (indirect billing more typical)
- Required if: Directly processing, storing, or transmitting cardholder data
- Levels: Based on transaction volume
- Maintain auditable financial records for minimum 7 years
- Support reconciliation and dispute resolution
- Provide transaction-level audit trails
Security Assessment & Testing
Recommended Security Assessments:
Bug Bounty Programs:
Consider running a bug bounty program to incentivize responsible vulnerability disclosure:
- Define scope (in-scope vs. out-of-scope systems)
- Set bounty amounts based on severity
- Establish clear disclosure guidelines
- Respond promptly to submissions
Security Implementation Checklist
For Publishers (AdCP Servers)
Authentication & Authorization:- Implement strong authentication (OAuth 2.0, API keys, or mTLS)
- Support scoped permissions (read vs. write operations)
- Enforce principal isolation in all database queries
- Log all authentication and authorization events
- Implement idempotency for
create_media_buyandupdate_media_buy - Validate budget values and enforce spending limits
- Support approval workflows for high-value transactions
- Implement daily reconciliation processes
- Maintain immutable financial audit logs (7+ years)
- Use TLS 1.3+ for all communications
- Encrypt sensitive data at rest (creatives, signals, briefs)
- Implement access controls on creative storage
- Sanitize HTML creatives to prevent XSS
- Verify webhook signatures cryptographically
- Implement rate limiting per principal and endpoint
- Validate all input with strict schema validation
- Use parameterized queries (prevent SQL injection)
- Set appropriate security headers (HSTS, CSP, X-Frame-Options)
- Never expose internal details in error messages
- Implement comprehensive security logging
- Set up monitoring and alerting for anomalies
- Develop and document incident response procedures
- Conduct regular security drills
- Establish communication channels for security incidents
- Document data processing activities (GDPR Article 30)
- Implement data subject rights (access, deletion, portability)
- Establish data retention and deletion policies
- Conduct DPIAs for high-risk processing
- Consider SOC 2 audit for enterprise customers
- Conduct annual penetration testing
- Implement automated vulnerability scanning
- Perform security code reviews before releases
- Test principal isolation with security tests
- Validate authentication bypass protections
For Principals (AdCP Clients)
Credential Security:- Store credentials in secure key management system (not code)
- Rotate credentials every 90 days
- Use least-privilege credentials (scoped to necessary operations)
- Never log or expose credentials
- Revoke credentials immediately if compromised
- Start with small test campaigns with new publishers
- Monitor spending against budgets in real-time
- Implement alerts for unusual spending patterns
- Validate publisher identity before large commitments
- Maintain allowlists/blocklists for publishers
- Use HTTPS for all AdCP communications
- Validate responses from publishers (don’t trust blindly)
- Encrypt targeting briefs if containing sensitive strategy
- Implement access controls for campaign data
- Log all AdCP interactions for audit purposes
- Handle errors gracefully (retry with exponential backoff)
- Implement circuit breakers for failing publishers
- Monitor API error rates and latency
- Keep client libraries and dependencies updated
- Validate webhook authenticity (if receiving async callbacks)
For Orchestrators (Multi-Principal Agents)
Credential Management:- Store each principal’s credentials separately (encrypted at rest)
- Use key management service (AWS KMS, Azure Key Vault, etc.)
- Never share credentials between principals
- Implement credential rotation per principal
- Support credential revocation
- Enforce principal_id filtering in ALL queries
- Use row-level security in databases
- Prevent cross-principal data leakage in error messages
- Implement security tests for isolation violations
- Log all operations with principal identity
- Implement per-principal rate limiting
- Support per-principal spending limits and approvals
- Maintain separate audit logs per principal
- Sandbox execution environments (optional but recommended)
- Monitor for privilege escalation attempts
- Act as data processor (not controller) for principals
- Maintain data processing agreements with principals
- Support data export and deletion requests
- Provide transparency about data handling practices
- Consider SOC 2 audit for enterprise orchestration services
Vulnerability Disclosure
For vulnerability disclosure policy and reporting procedures, see SECURITY.md in the AdCP repository. Quick Reference:- Report vulnerabilities to: security@adcontextprotocol.org
- Expected response time: Within 72 hours
- Public disclosure timeline: After fix is available (coordinated disclosure)
Security Resources
Standards & Frameworks:- OWASP API Security Top 10
- OAuth 2.0 Security Best Practices
- NIST Cybersecurity Framework
- NIST Cryptographic Standards
- Cloud Security Alliance
- OWASP ZAP - Security testing tool
- Snyk - Dependency vulnerability scanning
- Dependabot - Automated dependency updates
- Let’s Encrypt - Free TLS certificates