UID2 token and refresh token new page, updated #694
Conversation
genwhittTTD
changed the title
docs/ref-info/ref-tokens.md
Outdated
|
|
||
| # UID2 Tokens and Refresh Tokens | ||
|
|
||
| When a publisher sends a user's <Link href="../ref-info/glossary-uid#gl-dii">DII</Link> (email address or phone number) to the UID2 Operator, whether via one of the UID2 SDKs or the [POST /token/generate](../endpoints/post-token-generate.md) endpoint, the UID2 Operator returns a <a href="glossary-uid#gl-uid2-token">UID2 token</a> with associated values. The token is an opaque alphanumeric string, and is pseudonymous. Because of the way UID2 works, different instances of activity, on browsers, CTV, and electronic devices such as phone and tablets, can be matched without compromising the privacy of the individual. The token is designed so that it cannot be reverse engineered to arrive at the original email address or phone number. |
There was a problem hiding this comment.
The token is an opaque alphanumeric string, and is pseudonymous.
From Andrei's feedback, maybe best to
The token is an opaque alphanumeric string and everytime token is generated for same DII input, the token value will be different so token values are never the same.
the UID2 Operator returns a UID2 token with associated values.
There is no associated values for UID2 token - UID2 token is just a string. i think you are confused with the "Identity" response in token/generate reply. I think we can say somethign direct and simple:
_the UID2 Operator returns a UID2 token which is an encrypted form of a raw UID2, created from the DII input _
without compromising the privacy of the individual
Check with legal on this.
it cannot be reverse engineered to arrive at the original email address or phone number.
Maybe ask Legal to check if this is safe to say.
There was a problem hiding this comment.
@sunnywu thx much. Made the first change. Second one: yes, by associated values, which we use in several places in the doc, we mean the refresh token, timestamp etc. that come with the token. I adjusted to specify refresh token as an example, but I think that wording is clear.
On the other points... this will go to Legal after you,. I can call out those sections but he will check those things anyway.
There was a problem hiding this comment.
Follow up on this: these sections were changed.
docs/ref-info/ref-tokens.md
Outdated
| @@ -9,21 +9,20 @@ import Link from '@docusaurus/Link'; | |||
|
|
|||
| # UID2 Tokens and Refresh Tokens | |||
|
|
|||
| When a publisher sends a user's <Link href="../ref-info/glossary-uid#gl-dii">DII</Link> (email address or phone number) to the UID2 Operator, whether via one of the UID2 SDKs or the [POST /token/generate](../endpoints/post-token-generate.md) endpoint, the UID2 Operator returns a <a href="glossary-uid#gl-uid2-token">UID2 token</a> with associated values such as refresh token. The token is an opaque alphanumeric string. Every time a token is generated from DII input, the token value is different. Token values are never the same. Because of the way UID2 works, different instances of activity, on browsers, CTV, and electronic devices such as phone and tablets, can be matched without compromising the privacy of the individual. The token is designed so that it cannot be reverse engineered to arrive at the original email address or phone number. | |||
| When a publisher sends a user's <Link href="../ref-info/glossary-uid#gl-dii">DII</Link> (email address or phone number) to the UID2 Operator, whether via one of the UID2 SDKs or the [POST /token/generate](../endpoints/post-token-generate.md) endpoint, the UID2 Operator returns a <a href="glossary-uid#gl-uid2-token">UID2 token</a> with associated values, including a refresh token. The token is an alphanumeric string. Each time a token is generated from DII input, the token value is different. Because of the way UID2 works, different instances of activity, on browsers, CTV, and electronic devices such as phone and tablets, can still be matched to the same <a href="glossary-uid#gl-raw-uid2">raw UID2</a> generated from the user's DII, even though the token might be different. The token is designed to protect against reverse engineering that might reveal the original email address or phone number. | |||
There was a problem hiding this comment.
i feel it is better to just copy the Glossary definition of UID2 token and put it here:
UID2 tokens are generated from hashed or unhashed email addresses or phone numbers that are converted to raw UID2s and then encrypted.
The token is designed to protect against reverse engineering that might reveal the original email address or phone number.
This makes it sound like people who can legit decrypt the token can know the original email/phone value (which isn't true as token can only be decrypted into a raw UID2. But yes if malicious party which has a mapping of raw UID2->original email/phone they can know the original email/phone.
We could reword
The token is designed to protect the raw UID2 value inside the token so that only participant which have permission to decrypt can reveal the raw UID2 inside it.
Or just copy the glossary definition instead of reinventing the wheel here.
https://unifiedid.com/docs/ref-info/glossary-uid#gl-uid2-token
I feel current wording could be confusing and we should change it one way or another - i feel copy from glossary is easier.
There was a problem hiding this comment.
Majorly updated. from the glossary, to this:
When a publisher sends a user's DII—hashed or unhashed email addresses or phone numbers—to the UID2 Operator, whether via one of the UID2 SDKs or the POST /token/generate endpoint, the UID2 Operator converts the DII to a raw UID2, encrypts it into a UID2 token, and returns the UID2 token with associated values, including a refresh token. The publisher can then use the UID2 token in the bidstream.
And all the rest of the info is in the subsequent sections anyway.
Add reference article with key information about UID2 token and refresh token.