FLEDGE API: developer guide
Developer guide for on-device ad auctions to serve remarketing and custom audiences, without cross-site third-party tracking.
For those new to FLEDGE, read the FLEDGE overview for a high-level explanation of the proposal.
This post is written for developers as a technical reference for the most recent iteration of the experimental FLEDGE API. A demo of a basic FLEDGE deployment is available, as are API references for ad buyers and sellers.
Implementation status
- The FLEDGE proposal is now approaching launch for scaled adoption. Raise questions and follow discussion.
- FLEDGE status of pending capabilities details changes and enhancements to the FLEDGE API and features.
- Blink status
- FLEDGE Chrome platform status: Specific to the FLEDGE API on Chrome.
- Ads API Chrome platform status: A collection of APIs to facilitate advertising: FLEDGE, Topics, Fenced Frames and Attribution Reporting.
To be notified of status changes in the API, join the mailing list for developers.
What is FLEDGE?
FLEDGE is a Privacy Sandbox proposal to serve remarketing and custom audience use cases, designed so that it cannot be used by third parties to track user browsing behavior across sites. The API enables on-device auctions by the browser, to choose relevant ads for websites the user has previously visited.
FLEDGE is the first experiment to be implemented in Chromium within the TURTLEDOVE family of proposals.
Try FLEDGE
Available API reference
This document serves as an overview of the FLEDGE API. If you're looking for specific API methods and parameters:
- Buyers guide for
joinAdInterestGroup()
andgenerateBid()
. - Seller's guide for the FLEDGE
runAdAuction()
- Buyers guide to
reportWin()
and sellers guide toreportResult()
- Troubleshoot FLEDGE API
You can also read FLEDGE ad auction latency best practices.
FLEDGE demo
A walk-through of a basic FLEDGE deployment across advertiser and publisher sites is available at fledge-demo.glitch.me.
Take part in the origin trial
The Privacy Sandbox Relevance and Measurement origin trial has been made available in Chrome Beta 101.0.4951.26 and above on desktop for the FLEDGE, Topics, and Attribution Reporting APIs.
To take part, register for an origin trial token.
Once you have successfully enrolled in the trial, you can try out the FLEDGE API on pages that provide a valid trial token. For example, to ask the browser to join one or more interest groups, and then to run an ad auction to select and display an ad.
Provide a trial token for every page on which you would like to run FLEDGE API code:
- As a meta tag in the
<head>
:
<meta http-equiv="origin-trial" content="TOKEN_GOES_HERE">
- As an HTTP header:
Origin-Trial: TOKEN_GOES_HERE
- By providing a token programmatically:
const otMeta = document.createElement('meta');
otMeta.httpEquiv = 'origin-trial';
otMeta.content = 'TOKEN_GOES_HERE';
document.head.append(otMeta);
An iframe running FLEDGE code—such as a navigator.joinAdInterestGroup()
call by an interest group owner—will need to provide a token that matches its origin.
Proposed First FLEDGE Origin Trial Details provides more details about the goals of the first trial and explains what features are supported.
Not all users are eligible for the Privacy Sandbox Relevance and Measurement origin trial, even on pages that provide a valid trial token.
The Relevance and measurement unified origin trial overview explains why this is so, and shows how you can (and should) detect if an origin trial feature is available before attempting to use it.
chrome://flags
or feature flags
Test with You can test FLEDGE for a single user in Chrome Beta 101.0.4951.26 and above on desktop:
- Enable
chrome://flags/#privacy-sandbox-ads-apis
. - Set flags from the command line. The full list of available FLEDGE flags can be found in Chromium Code Search.
Render ads in iframes or fenced frames
Ads can be rendered in an <iframe>
or a <fencedframe>
, depending on which flags are set.
To use <fencedframe>
to render ads:
--enable-features=InterestGroupStorage,AdInterestGroupAPI,Fledge,FencedFrames
To use <iframe>
to render ads:
--enable-features=InterestGroupStorage,AdInterestGroupAPI,Fledge,AllowURNsInIframes --disable-features=FencedFrames
Include the BiddingAndScoringDebugReportingAPI
flag to enable temporary debug loss/win reporting methods.
This is an in-progress version of FLEDGE for early testing. It shouldn't be considered complete or indicative of the final implementation. FLEDGE progress and status are discussed in the regular WICG meetings.
The Privacy Sandbox timeline provides implementation timing for FLEDGE and other Privacy Sandbox proposals.
Supported features
FLEDGE behind feature flags in Chromium is a first experiment to test the following features of the FLEDGE proposal:
- Interest groups: stored by the browser, with associated metadata to configure ad bidding and rendering.
- On-device bidding by buyers (DSP or advertiser): based on stored interest groups and signals from the seller.
- On-device ad selection by the seller (SSP or publisher): based on auction bids and metadata from buyers.
- Ad rendering in a temporarily relaxed version of Fenced Frames: with network access and logging allowed for ad rendering.
Read more about feature support and constraints in the FLEDGE API explainer.
Interest group permissions
The default for the current implementation of FLEDGE is to allow calling joinAdInterestGroup()
from anywhere in a page, even from cross-domain iframes.
In the future, once site owners have had time to update their cross-domain iframe permissions policies, the plan is to disallow calls from cross-domain iframes.
Key/Value service
To support the FLEDGE ad auction, the browser can access a key/value service to retrieve real-time information which supports the FLEDGE ad auction. This information could be used in a number ways:
- Buyers may want to calculate the remaining budget in an ad campaign.
- Sellers may be required to check ad creatives against publisher policies.
The FLEDGE key/value service code is now available. Check out the announcement blog post for the status update.
For initial testing, a "Bring Your Own Server" model was introduced. In the long-term, ad techs will need to use the open-source FLEDGE Key/Value services running in trusted execution environments.
Refer to the FLEDGE services blog post for timeline updates. We'll provide substantial notice for developers to begin testing and adoption before this transition takes place.
Detect feature support
Before using the API, check if it's supported by the browser and available in the document:
'joinAdInterestGroup' in navigator &&
document.featurePolicy.allowsFeature('join-ad-interest-group') &&
document.featurePolicy.allowsFeature('run-ad-auction') ?
console.log('navigator.joinAdInterestGroup() is supported on this page') :
console.log('navigator.joinAdInterestGroup() is not supported on this page');
Feature support on the current page isn't a guarantee that an API is usable. The user may have disabled the API via browser settings, or they may have other settings that prevent the API from being used. In order to protect user privacy, there is no way to check for this programmatically.
How does the FLEDGE API work?
In this example, a user browses the website of a custom bike maker, then later visits a news website and is shown an ad for a new bike from the bike maker.
Not all features described in this post have been implemented (or fully implemented) in the version of the FLEDGE API currently being tested in Chrome. Test with feature flags explains what FLEDGE features are currently available for testing in Chrome run from the command line.
Features of FLEDGE will be added over time as work on implementation progresses.
1. A user visits an advertiser site
Imagine that a user visits the website of a custom bike maker (the advertiser) in this example) and spends some time on the product page for a handmade steel bike. This provides the bike maker with a remarketing opportunity.
2. The user's browser is asked to add an interest group
The advertiser's demand-side platform (DSP) (or the advertiser itself) calls navigator.joinAdInterestGroup()
to ask the browser to add an interest group to the list of groups the browser is a member of.
In this example, the group is named custom-bikes
, and the owner is dsp.example
. The interest group owner (in this case, the DSP) will be a buyer in the FLEDGE ad auction. Interest group membership is stored by the browser, on the user's device, and is not shared with the browser vendor or anyone else.
- Read the FLEDGE explainer: Browsers Record Interest Groups.
- Read the API guide: buyers and DSPs, learn how to
joinAdInterestGroup()
and generate bids.
The origin of the calling context for joinAdInterestGroup()
must match the interest group owner's origin.
joinAdInterestGroup()
must be called from an iframe owned by the interest group owner (for example, from a DSP). If the origin of the current document is the same as the interest group owner (for example, a website with its own interest groups), no iframe is needed.
Specify ads for an interest group
ads
and adComponents
objects include a URL for an ad creative and, optionally, arbitrary metadata that can be used at bidding time. For example:
{
renderUrl: 'https://cdn.example/.../bikeAd1.html',
metadata: bikeAd1metadata // optional
}
How do buyers make bids?
generateBid()
is called for each interest group that the browser is a member of—if the interest group's owner is invited to bid.
Read the generatedBid()
developer documentation.
3. The user visits a site that sells ad space
Later, the user visits a site that sells ads space, in this example a news website. The site has ad inventory, which it sells programmatically with real-time bidding.
4. A ad auction is run in the browser
The ad auction is likely to be run by the publisher's supply-side provider (SSP), or the publisher itself. The purpose of the auction is to select the most appropriate ad for a single available ad slot on the current page. The auction takes into account the interest groups the browser is a member of, along with data from ad-space buyers and the sellers from the Key/Value services.
- Read the FLEDGE explainer: Sellers Run On-Device Auctions
- Read the API guide: sellers can learn more about
runAdAuction()
and the ad auction latency best practices.
5. The seller and participating buyers request real-time data from the Key/Value service
During an ad auction, the seller can request real-time data about specific ad creatives by making a request to their Key/Value service. The seller can request this information during runAdAuction()
by the trustedScoringSignalsUrl
property, along with the keys from the renderUrl
properties of all entries in the ads
and adComponents
fields of all interest groups in the auction.
A buyer can request real-time data from their Key/Value service using the trustedBiddingSignalsUrl
and trustedBiddingSignalsKeys
properties of the interest group argument passed to navigator.joinAdInterestGroup()
.
When runAdAuction()
is called, the browser makes a request to each ad buyer's trusted server. The URL for the request might look like this:
https://kv-service.example/getvalues?hostname=publisher.example&keys=key1,key2
- The base URL comes from
trustedBiddingSignalsUrl
. - The
hostname
is provided by the browser. - The
keys
value is taken fromtrustedBiddingSignalsKeys
.
The response to this request is a JSON object providing values for each of the keys.
- Read the FLEDGE explainer: Fetching Real-Time Data from the FLEDGE Key/Value service.
- Read open sourcing the FLEDGE Key/Value service.
While in the initial experimental phase of testing FLEDGE, trustedBiddingSignalsUrl
must have the same origin as the interest group owner. Learn more in Bring Your Own Server.
6. The winning ad is displayed
The promise returned by runAdAuction()
resolves to a Uniform Resource Identifier (URN). This URN is embedded on the site in a fenced frame and renders the winning ad.
- Read the FLEDGE explainer: browsers render the winning ad
7. The auction result is reported
The long-term plan is to allow the browser to report auction results for the seller and buyers using the Private Aggregation API APIs.
As a temporary event-level reporting mechanism, the code implementing reportResult()
for the seller, and reportWin()
for the winning bidder, can call the sendReportTo()
function. This takes a single argument: a string representing a URL that is fetched after the auction completes, which encodes event-level information to be reported.
- Read the API guide: learn about seller and buyer reporting
8. An ad click is reported
A click on an ad rendered in a fenced frame is reported. To learn more about how this might work, see Fenced Frames Ads Reporting.
What is the difference between FLEDGE and TURTLEDOVE?
What is the difference between FLEDGE and TURTLEDOVE?
FLEDGE is the first experiment to be implemented in Chromium within the TURTLEDOVE family of proposals.
FLEDGE follows TURTLEDOVE's high-level principles. Some online advertising has been based on showing an ad to a potentially-interested person who has previously interacted with the advertiser or ad network. Historically this has worked by the advertiser recognizing a specific person as they browse across web sites, a core privacy concern with today's web.
The TURTLEDOVE effort is about offering a new API to address this use case while offering some key privacy advances:
- The browser, not the advertiser, holds the information about what the advertiser thinks a person is interested in.
- Advertisers can serve ads based on an interest, but cannot combine that interest with other information about a person—in particular, who they are or what page they are visiting.
FLEDGE grew out of TURTLEDOVE and a collection of related proposals for modifications to better served the developers who would be using the API:
- In SPARROW: Criteo proposed the addition of a ("Gatekeeper") service model running in a trusted execution environment (TEE). FLEDGE includes a more limited use of TEEs, for real-time data lookup and aggregated reporting.
- NextRoll's TERN and Magnite's PARRROT proposals described the different roles that buyers and sellers had in the on-device auction. FLEDGE's ad bidding/scoring flow is based on this work.
- RTB House's Outcome-based and Product-level TURTLEDOVE modifications improved the anonymity model and personalization capabilities of the on-device auction
- PARAKEET is Microsoft's proposal for a TURTLEDOVE-like ad service that relies on a proxy server running in a TEE between the browser and the ad tech providers, to anonymize ad requests and enforce privacy properties. FLEDGE has not adopted this proxying model. We are bringing the JavaScript APIs for PARAKEET and FLEDGE into alignment, in support of future work to further combine the best features of both proposals.
FLEDGE does not yet prevent a website's ad network from learning which ads a person sees. We expect to modify the API to become more private over time.
Can the Topics API be used with the FLEDGE API?
Yes. An observed topic for the current user, provided by the [Topics API](/docs/privacy-sandbox/topics/), could be used as contextual information by a seller or bidder. A topic could be included in the following properties:Can the Topics API be used with the FLEDGE API?
auctionSignals
, a property of the auction configuration object passed tonavigator.runAdAuction()
userBiddingSignals
, a property of the interest group configuration object passed tonavigator.joinAdInterestGroup()
Available browser configuration
Available browser configuration
Users can adjust their participation for Privacy Sandbox trials in Chrome by enabling or disabling the top-level setting in chrome://settings/privacySandbox
.
During initial testing, people will be able to use this high-level Privacy Sandbox setting to opt-out of FLEDGE. Chrome plans to allow users to see and manage the list of interest groups that they have been added to across the web sites they have visited. As with the Privacy Sandbox technologies themselves, user settings may evolve with feedback from users, regulators and others.
We'll continue to update the available settings in Chrome as the FLEDGE proposal progresses, based on tests and feedback. In the future, we plan to offer more granular settings to manage FLEDGE and associated data.
API callers can't access group membership when users browse in Incognito mode, and membership is removed when users clear their site data.
Engage and share feedback
Get support
To ask a questions and get support with your implementation, the demo, or the documentation:
- GitHub: Read the proposal, raise questions, and follow discussion.
- Demo: Raise an issue on the demo code repository.
- Developer support: Ask questions and join discussions on the Privacy Sandbox Developer Support repo. Select the issue template for FLEDGE.
- Chrome implementation: for bugs or issues with Chrome's implementation of the FLEDGE API, you can view existing issues or raise a new issue.
For more general questions about meeting your needs with FLEDGE, file an issue on the proposal repository. You can also discuss industry use cases in the W3C's Improving Web Advertising Business Group.
Use the Privacy Sandbox feedback form to share feedback privately with the Chrome team outside of public forums.
Opt-out
Want to opt-out of FLEDGE? Learn how to block access to the FLEDGE API, as a site owner or an individual user.
Get updates
- For notifications of API status changes, join the mailing list for developers.
- To closely follow all ongoing discussions on the API, click the Watch button on the proposal page on GitHub. This requires you have or create a GitHub account.
- To get overall updates on the Privacy Sandbox, subscribe to the RSS feed Progress in the Privacy Sandbox.
- Join the scheduled calls for FLEDGE (every second week). Everyone is welcome to join—to participate, first make sure to join the WICG. You can actively participate or just listen in!