Skip to main content

Overview

When you enable an identifier for identity resolution, Permutive uses it to link user activity across devices, sessions, and domains into a single Permutive ID. This creates a more complete picture of each user, improving audience accuracy and reach — but it also means that any party who knows the identifier value could potentially use it to look up information associated with that user via Permutive’s public APIs. This guide explains the trade-offs involved, what data is accessible, and how to make informed decisions about which identifiers to enable for resolution.

The trade-off

Benefits of enabling resolution

Enabling an identifier for identity resolution allows Permutive to recognize the same user across multiple touchpoints. This improves:
  • Audience accuracy: Cohort membership is based on a user’s full behavioral history rather than a single session or device.
  • Cross-device reach: Users can be reached on any of their devices based on activity observed on another.
  • Measurement and insights: Analytics reflect deduplicated users rather than fragmented device-level profiles.
  • Enriched user profiles: If you import identity data via Connectivity, enabling resolution for the imported identifier allows the SDK to resolve users to profiles that have been enriched with additional linked identifiers and associated data.
The more identifiers you enable for resolution, the more connections Permutive can make, and the more complete your user profiles become.

Privacy considerations

When an identifier is enabled for resolution, it can be used via the Permutive identify endpoint to resolve a user’s Permutive ID. Once a Permutive ID is known, certain information about that user is available from Permutive’s API endpoints — the same endpoints that the Permutive SDK uses to power on-device segmentation. Identifiers that are widely known or publicly obtainable (such as email addresses) carry a higher risk than identifiers that are only available in controlled contexts (such as first-party cookie IDs that are only accessible within your own domain).

API authentication

All Permutive API endpoints require an API key. However, the endpoints used by the SDK — including the identify endpoint and the endpoints that return user data for on-device segmentation — use a public API key. This is the same key embedded in the Permutive SDK deployed on your site, which is visible to anyone who inspects the page source. This means that the API key does not act as a meaningful access barrier. The primary factor controlling exposure is whether a third party knows the value of an identifier that is enabled for resolution.
The Retrieve Identities endpoint, which returns the full list of identifiers associated with a user, requires a private API key and is not accessible via the SDK or public key. A third party cannot use identity resolution to discover a user’s other identifiers.

What data is accessible via Permutive’s APIs

If someone obtains a user’s Permutive ID, the following types of information are available from Permutive’s API endpoints. Importantly, Permutive does not expose raw event-level data (such as a list of pages visited) through these endpoints.

Cohort segmentation state

This is the data Permutive uses to evaluate cohort membership on-device. It reflects aggregated behavioral signals derived from the user’s activity on your properties — for example, the number of times a user has viewed content in a particular category over a given time window. What it contains: Aggregated counts and behavioral signals structured according to your cohort definitions (e.g., “3 sport-related pageviews in the last 30 days”). What it does not contain: Raw events, page URLs, article titles, or any directly readable record of the user’s browsing activity. How interpretable is it? The data is stored in a compact, encoded format that has no meaning on its own. For example, a cohort defined as “users with 3 or more sport-related pageviews in the last 30 days” would be represented in the state as something like: 
{"82401":{"a4f2e71d03":["p","w",67798,{"67898":3}]}}
Interpreting this requires knowledge of your specific cohort definitions, which are encoded within the SDK deployed on your site. While it is theoretically possible for a technically sophisticated actor to cross-reference the state with the SDK code, the effort required is significant and the information gained would be limited to the behavioral categories you have defined in your cohorts.

Third-party and audience import data

If you use third-party data providers (such as LiveRamp or Eyeota) or import your own audience segments, the segment IDs associated with a user are accessible via the API. What it contains: A list of segment IDs from your configured data providers. How interpretable is it? This depends on the data provider. Some providers use opaque numeric segment IDs that convey no information without access to the provider’s taxonomy. However, other providers may use human-readable segment identifiers (e.g., descriptive names like male or high-income). If your data providers use readable segment IDs, this data could reveal information about a user’s inferred demographics or interests.

Cohort memberships

The IDs of cohorts that a user belongs to (including custom cohorts, advertiser cohorts, and curation cohorts) are accessible via the API. How interpretable is it? Cohort IDs are opaque identifiers with no inherent meaning. Without access to your Permutive dashboard, there is no way to determine what any cohort ID represents. This data reveals only that a user belongs to some number of cohorts, not what those cohorts are.

Assessing risk by identifier type

Not all identifiers carry the same level of risk when enabled for resolution. Consider how accessible the identifier value is to a potential third party:
AccessibilityExamplesRisk levelGuidance
Publicly known or easily obtainedEmail addresses, hashed emails (email_sha256)HigherConsider carefully. These identifiers may be known to parties outside your organization. Evaluate whether the resolution benefits justify the exposure for your use case.
Available within a browsing contextThird-party cookie IDs, mobile advertising IDs (aaid, idfa)ModerateThese are generally accessible only to parties who can interact with the user’s device or browser in an advertising context.
Controlled, first-party onlyFirst-party cookie IDs (pxid), internal user IDs, publisher-provided IDs (ppid)LowerThese identifiers are typically only accessible within your own domain or systems, limiting the risk of external access.
Certain identifiers should never be used for identity resolution because they represent groups of users rather than individuals. Examples include IP addresses and household IDs. Permutive blocks these identifier types from being used for resolution.

Recommendations

  • Consult your privacy team before enabling any identifier for resolution, particularly identifiers that could be considered publicly available.
  • Start with lower-risk identifiers: First-party cookie IDs and internal user IDs offer strong resolution benefits with limited external exposure.
  • Review your third-party data providers: If you use audience imports, check whether your providers use human-readable segment IDs. If so, consider requesting opaque IDs or discuss with your Permutive account team.
  • Consider your threat model: The primary concern is whether the resolution benefits (improved audience accuracy and reach) outweigh the theoretical risk of someone using a known identifier to look up limited, aggregated data about a user. The data accessible via Permutive’s APIs is heavily abstracted and not directly interpretable without significant technical effort and insider knowledge.

Configuring Identifiers

Guide for adding and managing identifiers in the Identity Graph dashboard

Adding Identities via Identify

Guide for implementing the identify endpoint across platforms

Identity Concepts

Core concepts of identity, identifiers, and identity resolution in Permutive

Consent

How data controllers can signal user consent to Permutive