Introduction
The Criteo API allows you to build custom apps that help the world’s advertisers grow their businesses. In order for your app to function, your users will have to delegate permissions for one or more of the Criteo advertisers that they oversee. To do this, you will need to direct the user to a unique consent delegation page. The URLs for this type of page can be generated in one of two ways - manually from your Criteo App page, or programmatically using a cryptographic key. Both methods are described below. These guides assume you have created a developer account, are part of an organization and have created an app. Instructions for getting started can be found here.Generate Consent URLs from your Criteo App Page
Once you have logged in to the Criteo Partners Portal, navigate to your App page by clicking your app’s card in the My apps section.Generate Consent URLs Programmatically
In order to generate consent URLs on the fly, you will need a public and private keypair for signing your URLs. To obtain this keypair, you will need to register a callback URL to receive confirmations. The callback process is described in full in a later section. Once you have logged in to the Criteo Partners Portal, navigate to your App page by clicking your app’s card in the My apps section..txt file with your public and private keypair.
Once you have your signing keypair, you will be able to programmatically generate a consent URL.
Doing so requires that you use a HMAC-SHA512 hashing algorithm to generate a signature.
The consent URL will have the following structure and parameters:
The final parameter, the
signature, should be the HMAC-SHA512 hashed value of the following string, using the same key, timestamp, state and redirect-uri values as your URL:
Consent Delegation Callback
Once the user has completed the Consent Delegation flow, an HTTP callback will be sent to the URL associated with the signing keypair you used. ThePOST body will include a Type field, which will indicate either a successful ( value of ConsentGranted) or unsuccessful (value of ConsentDenied) consent request.
For a ConsentDenied callback, AcceptedScopes will be an empty array.
Key, Timestamp, and State values provided in the original consent URL.
Please note that for MarketingSolutions apps, the entities that have been shared will be in the “Advertisers” field of the callback body, but for RetailMedia apps, those entities will be in an “Accounts” field.
The callback request will also include an HTTP header named x-criteo-hmac-sha512 . Its value will be the HMAC-SHA512 hash of the callback request body, using the same signing secret value as your app.
In this way, you can use your app’s signing secret to validate the integrity and authenticity of the callback.
User Redirection
Once the user has completed the Consent Delegation flow, thePOST request to the callback URL and the user’s redirection to the redirect URI are executed in sequence. The user will not be redirected until the callback attempt has resolved.
If the call to the callback URL fails on its first attempt, the POST will be retried up to two more times before the user is redirected to the redirect URL.
Following three failed attempts, the user will be redirected to the redirect URL and Criteo will log the callback error.