Support Home > Reference Information > Click Validation

Click Validation

An additional layer of security is provided called Click Validation. When applied to clicks, Click Validation allows Kochava to drop clicks that do not meet mutually established criteria, stopping fraudulent clicks.

Why Enable Click Validation

In an effort to create a fraudulent click, a third party obtains a valid click payload and modifies certain values within the payload such as the IDFA or UTM values. Once the payload has been modified, the third party will send the falsified payload in hopes of gaining credit for the click. With Click Validation enabled, Kochava can recognize and drop the falsified payload(s).

How Click Validation Works

Click Validation is calculated based on a combination of certain values within the payload. The resulting Click Validation is appended within the payload and sent to Kochava. Once received, Kochava’s servers can recreate the hash using the same inputs to verify that the supplied parameter matches and therefore validate the Click Validation value, as well as the specific values of the payload used to create the value. If any of the specific values in the payload have been altered or missing, the values will not match, the payload will be flagged as fraudulent and dropped prior to processing for attribution.

Initial Setup

  1. Determine which parameters will be used within the Click Validation calculation.

    WARNING: Ensure that the parameters used to calculate the payload value are always passed with the click URI. If a parameter is selected that is not passed with the URI, the associated click will be flagged as fraudulent and dropped.

    Ensure that all parameters included in the hash are fully URI encoded to remove special characters prior to hashing.

    BEST PRACTICE: Every parameter used should only be used at most 1 time. Any duplicate parameters will cause the click to fail.


    NOTE: It is required that all macros on the click are properly filled out, or if the macro cannot be replaced send “null”.


    1. Required Parameters:
      • expires
      • signature

      NOTE: The expires time needs to be further in the future then the click. While the expires time can be a static value, Kochava recommends that networks take the current unixtime and add one minute to that unixtime at the time of click.

    2. Suggested Parameters:
      • site_id
      • creative_id
      • device_id
      • NOTE: Kochava recommends that at least 3 parameters be used within the calculation. More parameters are recommended, but not required.

  3. All chosen click parameters along with the URI (i.e. /v1/cpi/click?) should be hashed and normalized and put into a new signature parameter. Any parameters following the signature parameter will not be included in the hash.
  4. Contact Kochava to request the following:
    • Private-key

Hashing Method

The URI and all parameters should be hashed using HMAC-SHA256 hashing:


NOTE: When hashing the click, confirm the order before and after hashing are consistent.



That string should be hashed with a secret key using HMAC-SHA256 hashing. The hash should then be base64 encoded and special characters in the encoded string should be “normalized” (e.g., “+” should be replaced with “-”, “/” replaced with “_”, and “=” replaced with a blank/empty string.)



Given the URI:

  1. Append an expires parameter (Kochava suggests current timestamp + one minute)
    Result – /v1/cpi/click?campaign_id=koconversionsdemo174ea19bc63928cdfaae33f79d77&network_id=2820&site_id=test-site-id&creative_id=test-creative-id&device_id=TEST-ADID-VALUE&device_id_type=adid&expires=12345
  2. Hash the above result with the secret key provided by Kochava using HMAC-SHA256 hashing.
    Result (using “secret” as the secret key) – BMJegs9IlnaegEpgtpqxvnOPKlTFXWZJn6lc7cXcH6w
  3. Append a signature parameter as such: &signature=BMJegs9IlnaegEpgtpqxvnOPKlTFXWZJn6lc7cXcH6w
  4. Base 64 encode the resulting URI, including the signature and replace special characters + / = with – _ {empty} respectively.
    Result – /v1/cpi/click?campaign_id=koconversionsdemo174ea19bc63928cdfaae33f79d77&network_id=2820&site_id=test-site-id&creative_id=test-creative-id&device_id=TEST-ADID-VALUE&device_id_type=adid&expires=12345&signature=BMJegs9IlnaegEpgtpqxvnOPKlTFXWZJn6lc7cXcH6w


Hash Method


Example Click URI:

NOTE: If an expiration timestamp is provided within the Click URI. Any clicks received after the designated timestamp expires will be invalid.

Private Key

    WARNING: To ensure that the private key remains secure, the private key should not be present within client-side code. The hash must be generated server-side.


  1. Determine who the recipient will be and provide an email address to Kochava.

    WARNING: If at any point the private-key is compromised, alert Kochava immediately and a new private-key will be issued.

Click Validation Integrated Networks

AdColony Display
Adcolony Performance Media
Curate Mobile
Curate Mobile v2
Mocolo Ads
Creative Clicks
All InMobi Templates
The Trade Desk
Criteo New
Miaden Marketing Pte Ltd


Last Modified: Jul 20, 2023 at 7:30 am