Introduction
The Criteo API allows you to build custom apps that help the world’s advertisers grow their businesses. In order for your app to function, your users will have to delegate permissions for one or more of the Criteo advertisers that they oversee. To do this, you will need to direct the user to a unique consent delegation page. The URLs for this type of page can be generated in one of two ways - manually from your Criteo App page, or programmatically using a cryptographic key. Both methods are described below. These guides assume you have created a developer account, are part of an organization and have created an app. Instructions for getting started can be found here.Generate Consent URLs from your Criteo App Page
Once you have logged in to the Criteo Partners Portal, navigate to your App page by clicking your app’s card in the My apps section.At the top of your App page, provided you have activated your app, you will see a Generate new URL button.
Clicking this button will generate a single consent URL which can be easily copied to your clipboard. The URL will have two query parameters as shown below:
Generate Consent URLs Programmatically
In order to generate consent URLs on the fly, you will need a public and private keypair for signing your URLs. To obtain this keypair, you will need to register a callback URL to receive confirmations. The callback process is described in full in a later section. Once you have logged in to the Criteo Partners Portal, navigate to your App page by clicking your app’s card in the My apps section.Scroll down to the Connector Parameters section and click Create a new connector. You will be prompted to enter a callback URL. Once registered, your callback URL can be modified at any time and the keypair associated will remain the same.
Once complete, your browser will download a
.txt file with your public and private keypair.
Once you have your signing keypair, you will be able to programmatically generate a consent URL. Doing so requires that you use a HMAC-SHA512 hashing algorithm to generate a
signature.
The consent URL will have the following structure and parameters:
Consent URL Example
Parameter | Description |
|---|---|
| Your public signing key |
| The UNIX timestamp of when your URL was generated, in seconds |
| An arbitrary string to be included in the consent callback. For example, the User ID of your app user. |
| The URL to redirect the user to after consent delegation |
| The HMAC-SHA512 hashed query string of the previous four parameters, in order |
The final parameter, the
signature, should be the HMAC-SHA512 hashed value of the following string, using the same key, timestamp, state and redirect-uri values as your URL:
Signature Example String
Code examples for generating a Consent URL can be found below:
Consent Delegation Callback
Once the user has completed the Consent Delegation flow, an HTTP callback will be sent to the URL associated with the signing keypair you used. ThePOST body will include a Type field, which will indicate either a successful ( value of ConsentGranted) or unsuccessful (value of ConsentDenied) consent request.
For a ConsentDenied callback, AcceptedScopes will be an empty array.
Example POST Consent Callback
Key, Timestamp, and State values provided in the original consent URL.
Please note that for MarketingSolutions apps, the entities that have been shared will be in the “Advertisers” field of the callback body, but for RetailMedia apps, those entities will be in an “Accounts” field.
The callback request will also include an HTTP header named x-criteo-hmac-sha512 . Its value will be the HMAC-SHA512 hash of the callback request body, using the same signing secret value as your app.
In this way, you can use your app’s signing secret to validate the integrity and authenticity of the callback.
User Redirection
Once the user has completed the Consent Delegation flow, thePOST request to the callback URL and the user’s redirection to the redirect URI are executed in sequence. The user will not be redirected until the callback attempt has resolved.
If the call to the callback URL fails on its first attempt, the POST will be retried up to two more times before the user is redirected to the redirect URL.
Following three failed attempts, the user will be redirected to the redirect URL and Criteo will log the callback error.