Prebid Server User ID Sync


Many bidders track their bidder-specific user IDs through cookies. Since bidders will generally serve ads from a different domain than where Prebid Server is hosted, those cookies must be consolidated under the Prebid Server domain so that they can be sent to each demand source as part of auction calls.

How it Works

Prebid Server stores bidder IDs in the uids cookie in the host domain. For example:


Here’s how these IDs get placed in the cookie from Prebid.js:

Prebid Server Cookie Sync

  1. When the s2sConfig is set, Prebid.js initiates a call to the Prebid Server /cookie_sync, letting it know which server-side bidders will be participating in the header bidding auction.

    {"bidders":["bidderA","bidderB"], "gdpr":1, "gdpr_consent":"...", "us_privacy": "..."}
  1. If privacy regulations allow, Prebid Server will look at the uids cookie in the host domain and determine whether any bidders are missing or need to be refreshed. It responds with an array of pixel syncs. e.g.
  1. When it receives the response, Prebid.js loops through each element of bidder_status[], creating a pixel for each bidder_status[].usersync.url.
  1. The bidder-specific endpoints read the users’ cookie for the bidder’s domain and respond with a redirect back to Prebid Server’s /setuid endpoint . This allows that endpoint to read the 3rd party cookie and reflect it back to Prebid Server. Note that if this user doesn’t yet have an ID in that 3rd party domain, the sync endpoint is expected to create one.
  1. When the browser receives this redirect, it contacts Prebid Server, which will once again check the privacy settings and if allowed, update the uids cookie.

Cooperative Syncing

Prebid Server supports a ‘Cooperative Syncing’ mode where all enabled bidders may be returned in a sync request even if they aren’t on this particular page. This allows bidders to get their IDs in place for the next page where they are utilized.

Cooperative sync defaults can be configured at the host and account level. See the docs for PBS-Java and PBS-Go.

This is how to control the coop syncing behavior from Prebid.js:

      s2sConfig: {
        coopSync: true,
        userSyncLimit: 5

Manually initiating a sync

Where Prebid.js isn’t present, like on AMP pages, the call to /cookie_sync doesn’t happen automatically. If there are scenarios where Prebid.js isn’t around to initiate the /cookie_sync call, publishers can choose to put an iframe on their page.

This approach works in a way quite similar to Prebid.js except that the /cookie_sync endpoint is initiated by a separate script that’s part of `load-cookie.html’. This file must be placed on a CDN by the publisher’s Prebid Server host company. Up until July 2024, the script existed in the Prebid Universal Creative repository, but has since been moved to the user-sync repo.

  1. The Prebid Server hosting company places the load-cookie.html file onto a CDN.

    See the AMP implementation guide for more information.

  2. The publisher places a ‘load-cookie’ iframe into the page:

For AMP pages:

    <amp-iframe width="1" title="User Sync"
      sandbox="allow-scripts allow-same-origin"
      <amp-img layout="fill" src="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" placeholder></amp-img>

On regular web pages:



  • HOST is the location where load-cookie.html is stored
  • PBSHOST is the (encoded) main URL for your Prebid Server, e.g.
  1. At runtime, the load-cookie script calls the Prebid Server /cookie_sync endpoint. The rest works similar to what’s described for Prebid.js above. One difference is that the bidders must be manually added to the call. Another difference is that AMP doesn’t support iframe syncs, so load-cookie passes instructions to PBS so only pixel syncs are returned.

Here are all the arguments supported:

Parameter Scope Type Description Example
endpoint recommended string A URL-encoded pointer to Prebid Server
max_sync_count optional integer How many syncs are allowed 5
bidders optional(*) string Which bidders are in the page. Required if coop-sync is not on for Prebid Server. This is a URL-encoded comma-separate list of bidder codes. bidderA%2CbidderB
source optional(*) string Recommended for AMP. If set to ‘amp’ will attempt to retrieve consent information, and force the response to be pixels only. amp
gdpr optional integer 1 if the request is in GDPR-scope, 0 if not. 0
gdpr_consent optional string TCF consent string  
defaultGdprScope optional integer if set to 1 (the default), consider GDPR to be in scope when consent information cannot be retrieved from AMP. Has no effect when source is not “amp”. 0
gpp_sid optional string GPP Section ID(s). Number in string form or comma-separated list of numbers 6,7
gpp optional string Global Privacy Platform string  
timeout optional integer Timeout (in milliseconds) to wait for consent data from AMP. Defaults to 10000. Has no effect when source is not “amp”. 500
args optional string Passed through to the /cookie_sync call query string. Used by some host companies.  

Note that enabling or disabling Cooperative Sync is not currently supported in load-cookie. Please make sure the account default is set up appropriately in PBS config.

Note: if your PBS host company is using a version of load-cookie.html older than July of 2024 and if your AMP page is using a CMP, you should consider using load-cookie-with-consent.html instead. It’s the same functionality, but older versions of load-cookie.html cannot read from CMPs.

Bidder Instructions for Building a Sync Endpoint

Building a sync endpoint is optional – e.g. there is no benefit from ID syncing for mobile-only bidders. For browser-based bidding, ID syncing can help improve buyer bid rate. There are two main options a bidder can choose to support:

  • redirect: the client will drop an IMG tag into the page, then call the bidder’s URL which needs to redirect to the Prebid Server /setuid endpoint.
  • iframe: the client will drop an IFRAME tag into the page, then call the bidder’s URL which responds with HTML and Javascript that calls the Prebid Server /setuid endpoint at some point.

Bidders must implement an endpoint under their domain which accepts an encoded URI for redirects. This URL should be able to accept privacy parameters:

  • gdpr: if 0, declares this request isn’t in GDPR scope. If 1, declares it is in scope. Otherwise indeterminate.
  • gdpr_consent: the TCF1 or TCF2 consent string. This is unpadded base64-URL encoded.
  • us_privacy: the IAB US Privacy string

The specific attributes can differ for your endpoint. For instance, you could choose to receive gdprConsent rather than gdpr_consent.

Here’s an example that shows the privacy macros as configured in PBS-Go:

    userMacro: YOURMACRO

PBS-Java uses slightly different macros in the bidder config:

      uid-macro: YOURMACRO

In either case, the {{…}} macros are resolved by PBS.

The “YOURMACRO” string here needs to be whatever your sync endpoint will recognize and resolve to the user’s ID from your domain. Some examples of macros that bidders use: $UID, ${UID}, \(visitor_cookie\), ${DI_USER_ID}, etc. Every bidder has their own value here.

Here’s how this all comes together:

  1. Prebid.js calls Prebid Server’s cookie_sync endpoint
  2. PBS responds with an array of user sync URLs, which may include your bidder’s sync url
  3. Prebid.js drops an img or iframe into the page, causing the browser to connect to the your usersync endpoint.
  4. Your usersync endpoint will return with either a redirect to Prebid Server’s /setuid endpoint or iframe HTML that eventually calls Prebid Server’s /setuid endpoint.
  5. Prebid Server then saves this ID mapping of mybidder: 132 under the cookie at

Then the next time the client then calls, the ID for mybidder will be available in the Cookie. Prebid Server will then stick this value into request.user.buyeruid in the OpenRTB request it sends to mybidder’s bid adapter.

Further Reading