- Tags overview
- Getting started
- UI guides
- Publishing
- Client-side information
- Event forwarding
- Administration
- Extensions
- Overview
- Tag extensions (client-side)
- Overview
- Accessible Site Speed Metrics
- Activity Map Customizer
- Action Page Refresh
- Adform Website Tracking
- Adobe Advertising Cloud
- Adobe Analytics
- Adobe Analytics & Adobe Target
- Adobe Analytics & Microsoft Dynamics
- Adobe Analytics & Salesforce
- Adobe Analytics Product String
- Adobe Analytics Product String Builder
- Adobe Analytics via Adobe Experience Platform Web SDK
- Adobe Audience Manager
- Adobe Client Data Layer
- Adobe ContextHub
- Adobe Experience Manager Forms
- Adobe Experience Cloud ID Service
- Adobe Experience Platform Demo
- Adobe Experience Platform Web SDK
- Adobe Experience Manager Asset Insights
- Adobe Fonts
- Adobe Media Analytics for Audio and Video
- Adobe Media Analytics (3.x SDK)
- Adobe Privacy
- Adobe Report Suite Selector
- Adobe Target
- Adobe Target v2
- Adobe Target Toolkit
- Advertising Cloud
- AEM Asset Insights
- Airbrake JS Notifier
- Amplitude
- Apollo QAX
- Awin Advertiser MasterTag
- Awin Conversion Tag
- Beemray Human Context
- Bing Ads Universal Event Tracking
- Branch
- BrightCove video tracking
- CallTrackingMetrics
- Channel Source Identifier
- Cheetah Experiences
- Clicktale
- Common Analytics Plugins
- Common Web SDK Plugins
- Concat
- ContentSquare
- Cookie Consent Management by Usercentrics CMP v2
- Core
- Custom Debug Logger
- Customer Recognition
- Data Element Assistant (DEA)
- Data Layer Manager
- Decibel
- Demandbase
- Differential Privacy
- Dynamic Media Viewers
- EDDL Helper
- Flashtalking OneTag
- ForeSee
- Gainsight PX
- Genesys Predictive Engagement
- Google Data Layer
- Google Global Site Tag (gtag)
- InMoment
- JSON Helper
- JW Player Analytics
- KickFire
- Mapping Table
- Marketo Munchkin
- Master Property Manager
- Meta Pixel
- Monita
- Nielsen Digital SDK
- OneTrust Consent Management for Cookies
- Pepperjam
- Persado Connect
- Pinterest Conversion Tracking
- Pixel Loader
- Qualtrics Website Feedback
- Quantum Metric
- Resolve Momentum
- Rokt
- SDI Survey
- SDI Toolkit
- SessionCam
- SPA View Change Event
- Storage Spanner
- TAGS by Loop Horizon
- Tealium Collect
- Tealium Data Enrichment
- TMMData Foundation Platform
- TrustArc Cookie Consent Manager
- Vimeo Playback
- Web Vitals
- XDM Composer
- Yahoo Dot
- Yext Conversion Tracking
- Youtube Playback
- YouTube video tracking
- Event forwarding extensions (server-side)
- Overview
- Adobe Experience Platform Cloud Connector
- AWS
- Braze
- Cloud Connector for Google Analytics
- Core
- Epsilon Event API
- Google Ads Enhanced Conversions
- Mailchimp Edge
- Meta Conversions API
- Microsoft Azure
- Mixpanel
- Pega Customer Decision Hub
- Snap Conversions API
- Splunk
- Zendesk Events API
- Extension development
- Reactor API
- FAQ
- Terminology updates
- Deprecating support for Internet Explorer 10 and 11
- Release notes
Configuring secrets in event forwarding
In event forwarding, a secret is a resource that represents an authentication credential for another system, allowing for the secure exchange of data. Secrets can only be created within event forwarding properties.
There are currently three supported secret types:
| Secret type | Description |
|---|---|
| Token | A single string of characters representing an authentication token value that is known and understood by both systems. |
| HTTP | Contains two string attributes for a username and password, respectively. |
| OAuth 2 | Contains several attributes to support the client credentials grant type for the OAuth 2.0 authentication spec. The system asks you for the required information, then handles the renewal of these tokens for you on a specified interval. |
| Google OAuth 2 | Contains several attributes to support the OAuth 2.0 authentication spec for use in the Google Ads API and Pub/Sub API. The system asks you for the required information, then handles the renewal of these tokens for you on a specified interval. |
This guide provides a high-level overview of how to configure secrets for an event forwarding (Edge) property in the Experience Platform UI or Data Collection UI.
For detailed guidance on how to manage secrets in the Reactor API, including example JSON of a secret’s structure, refer to the secrets API guide.
Prerequisites
This guide assumes that you are already familiar with how to manage resources for tags and event forwarding in the UI, including how to create a data element and an event forwarding rule. See the guide on managing resources if you require an introduction.
You should also have a working understanding of the publishing flow for tags and event forwarding, including how to add resources to a library and install a build onto your website for testing. See the publishing overview for more details.
Create a secret
To create a secret, select Event Forwarding in the left navigation, then open the event forwarding property you want to add the secret under. Next, select Secrets in the left navigation, followed by Create New Secret.
The next screen allows you to configure the details of the secret. In order for a secret to be usable by event forwarding, it must be assigned to an existing environment. If you do not have any environments created for your event forwarding property, see the guide on environments for guidance on how to configure them before continuing.
If you still want to create and save the secret before adding it to an environment, disable the Attach Secret to Environments toggle before filling in the rest of the information. Note that you will have to assign it to an environment later if you want to use the secret.
Under Target Environment, use the dropdown menu to select the environment you want to assign the secret to. Under Secret Name, provide a name for the secret in the context of the environment. This name must be unique across all secrets under the event forwarding property.
A secret can only be assigned to one environment at a time, but you can assign the same credentials to multiple secrets across different environments if you wish. Select Add Environment to add another row to the list.
For each environment you add, you must provide another unique name for the associated secret. If you exhaust all available environments, the Add Environment button will be unavailable.
From here, the steps to create the secret differ depending on the type of secret you are creating. Refer to the subsections below for details:
Token
To create a token secret, select Token from the Type dropdown. In the Token field that appears, provide the credential string that is recognized by the system you are authenticating to. Select Create Secret to save the secret.
HTTP
To create an HTTP secret, select Simple HTTP from the Type dropdown. In the fields that appear below, provide a username and password for the credential before selecting Create Secret to save the secret.
Upon being saved, the credential is encoded using the “Basic” HTTP authentication scheme.
OAuth 2
To create an OAuth 2 secret, select OAuth 2 from the Type dropdown. In the fields that appear below, provide your Client ID and Client Secret, as well as your Token URL for your OAuth integration. The Token URL field in the UI is a concatenation between the authorization server host and the token path.
Under Credential Options, you can provide other credential options such as scope and audience in the form of key-value pairs. To add more key-value pairs, select Add another.
Finally, you can configure the Refresh Offset value for the secret. This represents the number of seconds before the token expiry that the system will perform an automatic refresh. The equivalent time in hours and minutes is displayed to the right of the field and updates automatically as you type.
For example, if the refresh offset is set to the default value of 14400 (four hours) and the access token has an expires_in value of 86400 (24 hours), the system will automatically refresh the secret in 20 hours.
An OAuth secret requires at least four hours between refreshes and must also be valid for a minimum of eight hours. This restriction gives you a minimum of four hours to intervene if problems arise with the generated token.
For example, if the offset is set to 28800 (eight hours) and the access token has an expires_in of 36000 (ten hours), the exchange would fail due to the resulting difference being less than four hours.
When finished, select Create Secret to save the secret.
Google OAuth 2
To create a Google OAuth 2 secret, select Google OAuth 2 from the Type dropdown. Under Scopes, select the Google APIs that you want to use this secret to grant access to. The following products are currently supported:
When finished, select Create Secret.
A popover appears informing you that the secret needs to be manually authorized through Google. Select Create & Authorize to continue.
A dialog appears that allows you to enter the credentials for your Google account. Follow the prompts to grant event forwarding access to your data under the selected scope. Once the authorization process is complete, the secret is created.
If your organization has a re-authentication policy set for Google Cloud applications, the created secrets will not be refreshed successfully after the authentication expires (between 1 and 24 hours depending on the policy configuration).
To resolve this issue, sign in to the Google Admin console and navigate to the App access control page so you can mark the event forwarding app (Adobe Real-Time CDP Event Forwarding) as Trusted. Refer to the Google documentation on setting session lengths for Google Cloud services for more information.
Edit a secret
After you have created secrets for a property, you can find them listed in the Secrets workspace. To edit the details of an existing secret, select its name from the list.
The next screen allows you to change the name and credentials for the secret.
If the secret is associated with an existing environment, you cannot reassign the secret to another environment. If you wish to use the same credentials on a different environment, you must create a new secret instead. The only way to reassign the environment from this screen is if you never assigned the secret to an environment beforehand or if you deleted the environment that the secret was attached to.
Retry a secret exchange
You can retry or refresh a secret exchange from the editing screen. This process varies depending on the type of secret being edited:
| Secret type | Retry protocol |
|---|---|
| Token | Select Exchange Secret to retry the secret exchange. This control is only available when there is an environment attached to the secret. |
| HTTP | If there is no environment attached to the secret, select Exchange Secret to exchange the credential to base64. If an environment is attached, select elect Exchange and Deploy Secret to exchange to base64 and deploy the secret. |
| OAuth 2 | Select Generate Token to exchange the credentials and return an access token from the authentication provider. |
Delete a secret
To delete an existing secret in the Secrets workspace, select the checkbox next to its name before selecting Delete.
Using secrets in event forwarding
In order to make use of a secret in event forwarding, you must first create a data element that references the secret itself. After saving the data element, you can include it in event forwarding rules and add those rules to a library, which in turn can be deployed to Adobe’s servers as a build.
When creating the data element, select the Core extension, then select Secret for the data element type. The right panel updates and provides dropdown controls to assign up to three secrets to the data element: one for Development, Staging, and Production respectively.
Only secrets attached to the development, staging, and production environments appear for their respective dropdowns.
By assigning multiple secrets to a single data element and including it a rule, you can have the value of the data element change depending on where the containing library is in the publishing flow.
When creating the data element, a development environment must be assigned. Secrets for the staging and production environments are not required, but builds that try to transition to those environments will fail if their secret-type data elements do not have a secret selected for the environment in question.
Next steps
This guide covered how to manage secrets in the UI. For information on how to interact with secrets using the Reactor API, see the secrets endpoint guide.
Business.Adobe.com resources
Resources
Adobe Account
