Protected Audience API

A Protected Audience API interest group represents a group of people with a common interest, corresponding to a remarketing list.

Every Protected Audience API interest group has an owner. Different types of owners will create different types of interest groups with different use cases.

The owner asks the user's browser to add membership of their interest group by calling the JavaScript function navigator.joinAdInterestGroup(), providing information such as data about ads relevant to the interest group, and a URL for JavaScript used in bidding. Interest group data (such as the ads) can be updated, and an interest group can be enabled for up to 30 days.

The table below provides examples of different types of Protected Audience API interest groups and owners.

Chrome allows up to 1000 interest groups per owner, and up to 1000 interest group owners. These limits are meant as guard rails, not to be hit in regular operation.

In the Protected Audience API, a buyer is a party that owns an interest group and bids in an ad auction.

For example:

• Advertiser: acting for itself.
• Demand-Side Platform (DSP): acting for advertisers.
• Interest group owner: working for multiple advertisers.

Buyers have three jobs:

• Choose whether to participate in an auction.
• Choose ads and calculate a bid.
• Report the auction outcome.

These jobs are done programmatically, in code provided by the buyer that is run during a Protected Audience API ad auction.

When a buyer asks a user's browser to add an interest group to the groups it is a member of (by calling the JavaScript function navigator.joinAdInterestGroup()) the buyer provides the browser with:

• A URL for bidding code, that will be used when the seller runs an ad auction.
• Potentially, URLs for ad creatives for the interest group. (Ad URLs may be added later via an update.)
• A list of data keys to be queried, and the URL of the buyer's Key/Value service, to enable bidding code to get real-time data during an auction.

The buyer's code can also include a reportWin() function to report the auction outcome.

There are multiple parties that might run an auction to sell ad space.

For example:

• Content publisher: acting for itself to host ad content on its website.
• Supply-side platform (SSP): working with the publisher and providing other services.
• Third-party script: acting for a publisher, to enable participation in ad auctions.

With the Protected Audience API, an ad space seller has three jobs:

• Enforce publisher rules: stating which buyers and which bids are eligible.
• Run auction logic: JavaScript run in worklets to calculate a desirability score for each bid.
• Report the auction outcome.

These jobs are done programmatically, in code provided by the seller when it initiates an ad auction by calling the JavaScript function navigator.runAdAuction().

The diagram below outlines each stage of a Protected Audience API ad auction: view a larger version.

In the Protected Audience API, an ad auction is a collection of small JavaScript programs the browser runs on the user's device to choose an ad. To preserve privacy, all ad auction code from the seller and buyers is run in isolated JavaScript worklets that can't talk to the outside world.

A seller (a publisher or a supply-side platform) initiates a Protected Audience ad auction on a site that sells ad space (such as a news site). The seller chooses buyers to participate in the auction, indicates what space is for sale, and provides additional criteria for the ad. Each buyer is the owner of an interest group.

The seller provides the browser with code to score bids, which includes each bid's value, the ad creative URL, and other data returned from each buyer. During the auction, bidding code from buyers and bid-scoring code from the seller can receive data from their Key/Value services. Once an ad is chosen and displayed (in a fenced frame to preserve privacy), the seller and the winning bidder can report the auction result.

1. A user visits a site which displays ads.

2. The seller's code starts an auction. The seller specifies which ad space is for sale and who can bid, as well as a method to score those bids.

3. The invited buyer's code executes to generate a bid, URL for a relevant ad creative, and other data. The bidding script can query for real-time data, such as the remaining ad campaign budget, from the buyer's Key/Value service.

4. The seller's code scores each bid and selects a winner. This logic uses the bid value and other data to return a bid's desirability and reject an ad that can't beat the contextual ad winner. The seller can use their own Key/Value service for real-time data. Before an auction starts, the seller finds the best contextual ad for the available ad slot.

5. The winning ad is returned as a fenced frame config object when the resolveToConfig flag is set in the auction config. The config is used to navigate the fenced frame to the ad creative, and the URL of the creative is hidden from both the seller and the publisher. If the resolveToConfig flag is set to false or not passed in, the winning ad is returned as an opaque URN that can be used to render the ad in an iframe. The fenced frame config object is available starting from M114.

6. The auction is reported to the seller and winning buyers.

   The seller's reportResult() and buyer's reportWin() can include a call to sendReportTo(). This is available temporarily, until aggregate reporting is available with Private Aggregation.

   A reporting mechanism for losing buyers is under discussion.

The Protected Audience API Key/Value service allows ad techs to query for real-time data when a bid is made by the buyer, and for sellers to score ads while preserving privacy. You can read about the Protected Audience API Key/Value service and others in Protected Audience API services.

The Key/Value service is deployed to the ad tech's own cloud infrastructure, and the service runs in a trusted execution environment. A request to a Key/Value service cannot result in event-level logging or have other side effects. The Key/Value service will also support user-defined functions (UDFs) that allow ad techs to execute their own custom logic within the Key/Value service.

A buyer or seller provides a list of 'keys' to specify the data they require from a Protected Audience API Key/Value service. The Key/Value service responds with a value for each key.

The Protected Audience API Key/Value service code is now available in a Privacy Sandbox GitHub repository. This service can be used by Chrome and Android developers.

Learn more about the Protected Audience API Key/Value service from the API explainer and the trust model explainer.

The buyers or seller in an ad auction may need access to real-time data. For example, bidders may want to calculate the remaining budget in an ad campaign, or the seller may be required to check ad creatives against publisher policies.

To meet the privacy requirements of the Protected Audience API, real-time data required during an ad auction is provided by the Key/Value service. When each buyer calls navigator.joinAdInterestGroup(), the buyer specifies a Key/Value service URL and specifies the keys to be queried to the service during an auction. Likewise, when the seller runs an ad auction by calling navigator.runAdAuction(), the seller provides a URL for its Key/Value service. The seller's Key/Value service will be queried with the render URL of the creative.

For initial testing, the "Bring Your Own Server" model is used. In the long term, ad techs will need to use the open-source Protected Audience API Key/Value services running in trusted execution environments for retrieving real-time data.

To ensure that the ecosystem has sufficient time to test, we don’t expect to require the use of the open-source Key/Value services or trusted execution environments until sometime after third-party cookie deprecation. We will provide substantial notice for developers to begin testing and adoption before this transition takes place.