Key Takeaways

• Unauthorized sellers exist when entities sell your inventory without appearing in your ads.txt. This can be intentional fraud or an accidental omission on your part.
• Finding unauthorized sellers requires checking from the buy side, not just the sell side. DSPs see sellers you may not know about because they receive bid requests from supply paths you don't control.
• The most common unauthorized seller is a legitimate reseller you forgot to add. Before assuming fraud, check whether a missing ads.txt entry explains the situation.
• Supply chain monitoring tools make detection automated and continuous. Manual detection is possible but limited to what you can observe directly.
• Every unauthorized seller on your domain costs you revenue, whether they're legitimate or fraudulent.

---

How to Find Unauthorized Sellers on Your Domain

Unauthorized sellers are entities that appear to sell your inventory to DSPs but aren't listed in your ads.txt file.

From the DSP's perspective, these are either fraud (someone spoofing your domain) or an oversight (a legitimate partner you forgot to authorize).

Either way, the cost is real. DSPs that detect unauthorized sellers on your domain may discount all your inventory, not just the unauthorized portion. And legitimate partners missing from ads.txt lose access to DSP demand entirely.

Finding unauthorized sellers requires looking at your supply chain from multiple angles.

Method 1: Audit Your Reseller Chain

The most common source of unauthorized sellers is reseller relationships you didn't explicitly authorize in ads.txt.

How Reseller Chains Create Unauthorized Sellers

You list SSP-A as a DIRECT partner in ads.txt. SSP-A resells your inventory to Exchange-B. Exchange-B resells it to Exchange-C. Both Exchange-B and Exchange-C are selling your inventory to DSPs, but neither appears in your ads.txt.

From the DSP's perspective, Exchange-B and Exchange-C are unauthorized sellers. The DSP can verify SSP-A (it's in your ads.txt), but when the bid request reaches the DSP through Exchange-C, the authorization check fails.

How to Check

Contact each SSP in your ads.txt and ask:

1. Do you resell our inventory to other exchanges or SSPs?
2. If yes, which ones?
3. What account IDs do they use for our inventory?

For each reseller identified, decide whether to:

• Authorize them: Add a RESELLER entry to ads.txt
• Block them: Ask your SSP to stop the reselling arrangement

Method 2: Cross-Reference ads.txt Against SSP Reports

Most SSPs provide reports showing demand sources, auction data, and sometimes the exchanges or DSPs that bid on your inventory.

What to Look For

Review SSP dashboards for:

• Revenue from demand sources you don't recognize
• Bid requests or impressions from exchanges not in your ads.txt
• Any supply path data showing intermediaries in the auction chain

If your SSP provides a supply chain or demand source breakdown, compare every entity against your ads.txt. Any entity appearing in the supply chain but not in your ads.txt is potentially unauthorized.

Method 3: Use Supply Chain Monitoring Tools

The most effective method.

Automated tools scan the supply chain ecosystem and identify sellers associated with your domain.

BeamFlow's scanner cross-verifies your ads.txt against sellers.json across the ecosystem. It identifies:

• Missing authorizations: SSPs that list you in their sellers.json but aren't in your ads.txt
• Unknown sellers: Entities appearing in supply chain data for your domain that you haven't authorized
• Verification mismatches: Entries where the data doesn't align between ads.txt and sellers.json

Automated monitoring catches unauthorized sellers continuously, not just during manual audits.

Method 4: Check sellers.json Files Directly

Some unauthorized sellers may have you listed in their sellers.json even though they're not in your ads.txt.

How This Happens

An SSP adds your domain to their sellers.json as a seller on their platform. Maybe they set up a test account. Maybe a reseller arrangement was configured on their end. Maybe it's domain spoofing.

If the SSP has your domain in their sellers.json but isn't in your ads.txt, DSPs see a mismatch: the SSP claims to sell your inventory, but you haven't authorized them.

How to Check

For major SSPs in your vertical (even ones you don't work with):

1. Download their sellers.json
2. Search for your domain
3. If your domain appears and you don't have a relationship with that SSP, investigate

This is labor-intensive for manual checking. Automated tools handle it way more efficiently.

Method 5: Monitor for Domain Spoofing Indicators

Domain spoofing is when bad actors create fake bid requests using your domain name. Signs include:

• Unexpected traffic volume. Your SSP reports show way more bid requests than your actual traffic should generate.
• Geographic anomalies. Bid requests from countries where you have no audience.
• Timing anomalies. Bid volumes that don't correlate with your actual traffic patterns.
• SSP contacts. SSPs or DSPs contact you about suspicious activity on your domain.

If you suspect domain spoofing, ensure your ads.txt is complete and accurate. A full ads.txt is the primary defense because it lets DSPs reject all unauthorized bid requests.

Evaluating What You Find

When you identify an unauthorized seller, categorize it:

Category 1: Legitimate Partner You Forgot to Add

Indicators:

• You have an active business relationship with the entity
• The entity is a known SSP or exchange in the ecosystem
• Your SSP confirms a reselling arrangement with them
• The account ID and domain data are correct

Action: Add the entity to ads.txt as a RESELLER. Verify the entry matches their sellers.json.

Category 2: Reseller You Didn't Know About

Indicators:

• You don't have a direct relationship, but your SSP does
• The entity is a known exchange or SSP
• Your SSP confirms they're part of the demand chain

Action: Decide whether to authorize (add to ads.txt) or prohibit (ask your SSP to stop reselling through them). Consider whether the reseller adds meaningful demand.

Category 3: Unknown Entity

Indicators:

• You have no relationship with this entity
• Your SSPs don't recognize the arrangement
• The entity isn't a well-known SSP or exchange

Action: Don't add to ads.txt. This is potentially fraudulent activity. Ensure your ads.txt is complete so DSPs can identify and reject bids from this entity. Report to relevant SSPs.

Category 4: Domain Spoofing

Indicators:

• Bid requests claim your domain but come from entities with no connection to your infrastructure
• Volume or geographic patterns don't match your actual traffic
• Multiple unknown entities are simultaneously selling your inventory

Action: Maintain a complete and accurate ads.txt. Report to TAG (Trustworthy Accountability Group) if the spoofing is big. Contact any SSPs where the spoofing appears to originate.

Building an Ongoing Detection Process

Finding unauthorized sellers isn't a one-time task. New reseller arrangements form. SSP partnerships change. Bad actors target new domains.

Monthly: Run a quick check of your ads.txt against known SSP partners. Verify no new SSPs are selling your inventory without authorization.

Quarterly: Do a full cross-reference of your ads.txt against sellers.json across the ecosystem. Check for domain appearances in sellers.json files from SSPs you don't work with.

Continuously: Set up automated monitoring to get alerts when new unauthorized sellers appear. This catches issues immediately rather than at the next scheduled audit.

Frequently Asked Questions

Are all unauthorized sellers harmful?

Not all are fraudulent, but all reduce your revenue. Even a legitimate partner missing from ads.txt is technically unauthorized, and DSPs treat unauthorized sellers with reduced trust regardless of the reason.

What if I find an unauthorized seller but can't identify them?

If the entity is unknown and your SSPs don't recognize the arrangement, treat it as potentially fraudulent. Don't add it to ads.txt. Maintain your existing ads.txt to ensure DSPs can identify the unauthorized activity.

Should I contact DSPs about unauthorized sellers?

Generally, no. DSPs handle unauthorized sellers through their ads.txt enforcement systems. Your job is to maintain a complete and accurate ads.txt. The DSPs will use it to make their own decisions.