Skip to main content
An Account represents a billing relationship between a buyer and a seller in AdCP. Sales agents use accounts to determine pricing (rate cards), billing entities, and to enforce data isolation between different buyers.

Authentication

All requests must be authenticated using a bearer token in the standard Authorization header: 
Authorization: Bearer <your_token>
The server validates this token and identifies the agent making the request. The agent may have access to one or more accounts. See Authentication for details on obtaining credentials and authentication methods.

Agents and Accounts

AdCP distinguishes between:
  • Agent: The authenticated entity making API calls (e.g., "pinnacle_trading_desk")
  • Account: The billing relationship for a media buy (e.g., "acme_c/o_pinnacle")
An agent may operate on multiple accounts. For example, an agency trading desk might manage accounts for multiple advertisers and their own house account. See Accounts and Agents for details.

Data Isolation

Authentication provides the foundation for strict data isolation. Sales agents MUST enforce the following rules:
  1. When an object like a MediaBuy is created, it MUST be permanently associated with the account used for that request.
  2. For any subsequent request to read or modify that object, the server MUST verify that the agent has access to that account.
  3. If the agent does not have access, the server MUST return a permission denied error.
This model ensures that one account’s data cannot be accessed by agents who lack authorization. Passing an account_id for an account you don’t have access to will result in an error.

Security Requirements

Required Security Measures

Sales agent implementations MUST:
  • Validate bearer tokens on every authenticated request
  • Enforce account-based data isolation
  • Use TLS for all communications
  • Log authentication failures for security monitoring
Sales agent implementations SHOULD:
  • Implement rate limiting per agent and account
  • Support token expiration and refresh
  • Provide audit logging for compliance
  • Support IP allowlisting for high-security accounts