Validate Referrals
Referral Traffic Validation
Rokt provides a mechanism for advertisers to validate the authenticity of referral traffic delivered through its platform.
The current implementation uses a JSON Web Token (JWT) signed with the ECDSA-256 algorithm. The public keys required for verification can be retrieved from the following endpoints:
Default domain: https://public-api.rokt.com/.well-known/jwks.json
Custom domains: https://[custom-domain]/.well-known/jwks.json
We recommend downloading and caching these public keys for verification. The suggested cache duration is one week. In the event of a key rotation, Rokt will proactively contact you with guidance to ensure a smooth transition.
Update your campaign traffic URL to support signed token passthrough
To generate the unique signed token please ensure that the destination URL of your creative includes the following as a URL parameter: jwt={rokt.jwt|}. Read more about building creatives.
In the Destination URL, you will need to add & or ? before jwt={rokt.jwt|}. This is determined by the original traffic link. If the original traffic link contains a ?, add an & before the jwt.
rok
Example: www.landingpage.com/?hello=world&jwt={rokt.jwt|}
If the original traffic link does not contain a ?, add a ? before the jwt
Example: www.landingpage.com/?jwt={rokt.jwt|}
Using JWT in Campaign Traffic URLs
When specifying a campaign traffic URL, you can include the rokt.jwt macro. At runtime, Rokt will replace this macro with a digitally signed JWT. By validating this token with the public key, you can extract the following claims:
- cid – Campaign ID
- crid – Creative ID
- rclid – Rokt Click ID. Read more about Rokt Click ID
- iat – Issued-at timestamp
- exp – Expiration timestamp (set to 1 hour from issuance)
These fields allow advertisers to securely identify and attribute campaign traffic with confidence.
Note: Token expiration validation is optional and can be configured by advertisers based on their security requirements. Some advertisers may choose to validate expiration times strictly, while others may implement more flexible validation policies.
Test Token
For testing the examples below, you can use this sample JWT token:
eyJhbGciOiJFUzI1NiIsImtpZCI6InJva3Qtc2lnbmluZy1rZXkiLCJ0eXAiOiJKV1QifQ.eyJjaWQiOiIzNDM2MDg1MzY4NjkyNDA4MzI0IiwiY3JpZCI6IjM0Mzc3MzI3NTQ5MzU5MDYzMDgiLCJyY2xpZCI6IjdkYjk1OGRiZDIzMjI0N2E0YTgyODVhMzRkMjJmZTBmNGU5YWZmYTQ2M2JmNWVlNTRlMjY3MjFhYjBkZjBlMjMiLCJuYmYiOjE3NTU2NjY2MDEsImV4cCI6MTc1NTY3MDIwMSwiaWF0IjoxNzU1NjY2NjAxfQ.D2_5RnmIgWucUx-7JG5b-Av9PM0V59w6Pmumqv0_zHgkD1136dPhKSMv2i-fP4Z0maANJcAwY6jSTXzp6Gc7gA
Note: This token is for testing purposes only and has an expiration time. Copy this token to use with the examples below.
Examples
Please see the list of example code below:
- Java Example - JWT validation using Java with JJWT library
- Python Example - JWT validation using Python with PyJWT and cryptography
- Node.js Example - JWT validation using Node.js with jose library
- Go Example - JWT validation using Go with golang-jwt
- C# Example - JWT validation using C# with Microsoft.IdentityModel