We read your public ads.txt and sellers.json, and load your homepage once in a headless browser to check the CMP + identity setup. The page render runs from the EU and can take ~10–30s. Nothing is stored.

FAQ

Frequently asked questions

What does this audit check?

Three things in one scan: who is authorized to sell your inventory (from your ads.txt and each ad system's sellers.json), whether your homepage has a working consent platform (CMP vendor, IAB TCF v2.2 / GPP / US Privacy signals, and Accept / Decline / Customize buttons), and which identity providers (ID5, Criteo, UID2, LiveRamp, SharedID…) actually fire — confirmed via Prebid where present.

Does the consent check tell me if I'm GDPR compliant?

No. It detects what's technically on the page — a CMP, the consent frameworks, and the consent buttons — not whether your consent is legally valid. Dark patterns, pre-ticked vendors and scroll-to-consent are out of scope. A missing first-layer "Reject all" is a common flag worth reviewing, but only your DPO/legal can judge compliance.

Why did the identity or consent section come back empty?

A few honest reasons: the scan runs from an EU server, so consent banners that only show to non-EU visitors won't appear; some sites gate their ad stack behind consent, so no identity provider fires until you click accept (we don't click); and some sites challenge automated browsers. When we can't get a clean read we say so rather than reporting a false negative.

What's the difference between an identity provider 'loaded', 'fired' and 'resolved'?

Loaded = the provider's script is on the page. Fired = it made a network call to sync. Resolved (strongest) = Prebid actually obtained an ID from it and would put it in the bidstream. "Configured" is not the same as "live" — each finding is labelled with its evidence tier.

Should I delete resellers I don't recognize?

No — investigate first. A line in your ads.txt is permission to sell you, not proof of live demand, and a reseller is sometimes the only way a given buyer reaches you, so deleting it can lose revenue. Ask your SSP or partner who each unfamiliar seller is, and only remove confirmed stale or unauthorized ones.

Is my data stored?

No. We read your public ads.txt and sellers.json server-side and load your public homepage once in a headless browser. We return only whether things exist and what they resolve to — never consent string values, ad IDs or tokens — and store nothing.

Built by Gediminas Blažys — former Google Certified Publishing Partner and IAB Baltics founding board member, after auditing 700+ publisher ad stacks. The free assessment turns these signals into your real numbers — demand by path, per-SSP take, and the addressable revenue your consent + identity setup is winning or losing.