SDK Signature
The Adjust SDK submits a digital signature (computed from an App Secret) to validate installs and protect your dataset from spoofed traffic. Once you have created an App Secret within your dashboard and implemented it into your Adjust SDK, our Adjust servers will effectively verify the legitimacy of every reported install and reject fraudulent activity. With the Adjust SDK Signature, you can be confident that your attribution dataset is accurate and secure. 


  • This feature is available to all Adjust customers but does not appear in your dashboard automatically. If you are interested in implementing an SDK signature in your app, contact your account manager or to opt in.
  • This feature requires you to have Adjust SDK version 4.12 or later integrated into your app

Managing App Secrets

Create an App Secret


In the Adjust dashboard
  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > SDK Signature
  3. Select CREATE NEW APP SECRET (at the bottom of the module) to generate an App Secret
  4. (Optional) Enter a name for your App Secret in the Name App Secret field
    • Recommended: enter the app version containing the App Secret and the app store name
  5. (Optional) Enter your developer’s email address to directly send the App Secret for implementation within your app. This email will contain the app token, App Secret, and App Secret version, along with a link to the necessary SDK documentation.
  6. Select SAVE CHANGES
Your new App Secret will appear in the list of App Secrets. Each App Secret is assigned a Secret ID, numbered in chronological order, starting at 1.

You can edit the name of an App Secret at any time by selecting the edit (pencil) icon beside the App Secret.

Note: Before the App Secret becomes effective, your app developer must integrate it into your app’s Adjust SDK

Integrate an App Secret into your Adjust SDK 

Once you have created an App Secret, it must be integrated into the Adjust SDK before app store submission.

Developer instructions can be found in the following GitHub repositories:

Deactivate an App Secret

Deactivating an App Secret may be necessary if you suspect an internal data breach. Only analysts should decide when to deactivate an App Secret; you can reactivate a deactivated App Secret at any time.


In the Adjust dashboard
  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > SDK Signature
  3. Select the deactivate (power) icon beside the App Secret you want to deactivate
  4. Select DEACTIVATE
Deactivating an App Secret takes immediate effect. 

Any app install reported with a deactivated App Secret will be rejected and categorized under Untrusted Devices. Adjust will continue to track sessions and events for these devices, but this information will only be visible in your dashboard reporting if you are using the Adjust Fraud Prevention Suite.

Reactivate an App Secret

App Secrets should rarely be reactivated, and only when absolutely necessary—e.g., when you have accidentally deactivated an App Secret or you are noticing inexplicable anomalies in your traffic after deactivation.


In the Adjust dashboard
  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > App Secrets
  3. Check Show deactivated secrets
  4. Select the activate (power) icon beside the inactive App Secret that you want to reactivate
Your reactivated App Secret will appear within your active list of App Secrets. All reactivated App Secrets retain their original App Secret ID.

Reactivating an App Secret takes immediate effect. Installs rejected during deactivation are not retrospectively added to your historical dashboard data; all installs rejected during deactivation will remain rejected. 

Best Practices

While App Secrets offer a high degree of flexibility, we’ve outlined our recommendations for their most effective use.

App Secret name

When entering a name for your App Secret, we advise including the related version of your app and the relevant app store.

Example: version 2.3-Play Store

When to create an App Secret

We advise creating an App Secret for every app version you release. We also recommend generating individual App Secrets for different app stores (e.g., Google Play Store and Amazon Appstore) and for pre-install campaigns.

When to deactivate or reactivate an App Secret

Only analysts should determine when to deactivate or reactivate an App Secret; this should not be an app development decision.

Deactivating an App Secret

Adjust recommends deactivating an App Secret if it is no longer contributing to your install reporting or if you have fully released a new version of your app (across all app platforms and stores). Otherwise, you could be missing considerable data from your dashboard reporting and callbacks.

App Secret deactivation is also recommended in the instance that you suspect an internal data breach: if your App Secret has been disclosed to outside parties, it should be deactivated. 

Reactivating an App Secret

In general, we advise against reactivating App Secrets. It should only be considered if: 
  • The App Secret was deactivated accidentally, or;
  • You are noticing anomalies in your traffic (e.g., a significant and otherwise unaccountable drop in installs) after deactivating an App Secret

SDK Signature enforcement

By default, SDK Signature enforcement is OFF for all new apps.

SDK Signature enforcement requires installs to have a valid, active App Secret: installs submitted with an invalid or deactivated App Secret will be rejected. Any install submitted without a App Secret (i.e., all earlier app versions) will also be rejected. 

Since disabling SDK Signature enforcement allows Adjust to accept installs submitted without an App Secret, user discretion is advised. The SDK Signature enforcement setting only affects installs submitted without an App Secret: installs reported with invalid or deactivated App Secrets will always be rejected, regardless of this setting.

App Secret Statistics

View your App Secret statistics


In the Adjust dashboard
  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > SDK signature

What you will see in your App Secret statistics

On the left side of the graph, you will see your App Secrets, including Invalid Secret and No Secret, if any such install attempts have been reported. Hover over an App Secret and you can select the plus icon (+) to add that App Secret’s data to the graph. To remove an App Secret’s information from the graph, hover over its name in the left-hand section or above the graph and select the minus icon (-).

On the graph, the solid line represents accepted installs, and the dotted line represents rejected installs.

Note: Installs that occurred when your app’s Adjust SDK was running in the sandbox environment will not display in this graph.

Moving your cursor over the graph will allow you to see the values for a certain point in time. The date of your current position is displayed directly above the graph, and the value for that point appears next to the colored keys above the date. Hover over one of these sections to isolate the line on the graph.

Select an App Secret in the left-hand section to see its installs broken down by country.

Grouping (hour, day, week, or month)

Located above the graph, this filter allows you to alter how many data points appear on your graph. The options available to you will differ depending on the timeframe you have selected, but there are four in total: Hour, Day, Week, and Month.

By selecting Hour, there will be a data point on the graph for every hour of your selected timeframe. This can be useful if you wish to see how user activity changes depending on the time of day.

At the other end of the scale, selecting Month will provide just one data point for every month of your selected timeframe. This provides a more general look at changes in your install activity over broader expanses of time.

Linear or logarithmic

This filter affects your graph’s y-axis display. If you select linear, equal weight will be given to data ranges, meaning they occupy equal amounts of your graph’s y-axis. The downside to this view is that, if you have a lot of activity in the lower ranges and little in the upper ranges, it can be hard to tell what is happening at the bottom of your graph, as it appears more condensed.

By selecting logarithmic, each data range will be provided with half the space of the data range below it, so, as you move up the y-axis, each data range is provided with progressively less space. This helps to provide more space for the lower ranges to really shine.

Do note that a logarithmic y-axis can be misleading, as your lower and upper ranges can appear much closer together than they really are. By switching between the two options, you can develop a full understanding of the data represented.


What is a digital signature? 

A digital signature is a mathematical scheme used for authenticating digital messages or documents. By design, a digital signature indicates that a message was submitted securely and that no data was compromised during transmission.

What is an App Secret?

An App Secret is a set of five integers. Adjust uses this value to hash key data points when sending SDK traffic to Adjust’s servers, where Adjust can verify the legitimacy of the installs based on this hash value. The App Secret is so instrumental in computing the SDK Signature that only the plain text format (as exported from your Adjust dashboard) can be used to derive it. 

To be most effective, we recommend creating a new App Secret for:
  • Different platforms (iOS, Android, etc.), and;
  • Every new app version release

How do I implement an App Secret?

Once you have created your App Secret, submit it and the App Secret ID to your developer for implementation. Instructions are listed within the relevant Adjust SDK README.

How will this data appear in my dashboard?

App Secret performance can be reviewed in your App Secret statistics, detailed above.

Rejected installs will appear in the fraud view of your dashboard statistics. Installs rejected for having an invalid signature are listed under Untrusted Devices > Invalid Signature. If you are not currently using the Adjust Fraud Prevention Suite, then rejected installs will not be visible in your Adjust reporting.

What is the difference between an invalid and a missing signature?

A signature is invalid if it does not match the signature Adjust calculates based on your App Secret. This includes fraudulent signatures and signatures calculated from deactivated App Secrets.

A missing signature is when an app install contains no signature whatsoever. Installs without a signature will only be rejected if SDK Signature enforcement is on.

How can I receive rejected install activity from Adjust?

If an install is rejected for an invalid or missing SDK Signature, you can be notified via Adjust's real-time callback system or our CSV uploads to cloud storage. Append a {rejection_reason} placeholder to a rejected install or rejected reattribution callback to receive the reason for a rejected install or reattribution, or add {rejection_reason} to your CSV definition.

Note: You can only receive callbacks for rejected installs and reattributions if you are using our Fraud Prevention Suite.
  • Instructions for real-time callbacks
In the Adjust dashboard
  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > Raw Data Export > Real-Time Callbacks
  3. Select the edit (pencil) icon beside rejected install or rejected reattribution
  4. Enter your callback URL and append a key-value pair for the rejection reason
    • Enter a key of your choosing; this can be customized to your server setup
    • The value should be {rejection_reason}
    • Example: rejected_install_reason={rejection_reason}
  5. Select UPDATE
If an install or reattribution has been rejected due to an invalid or missing SDK Signature, you will receive, e.g., rejected_install_reason=invalid_signature through your callback.

Note: Missing signatures are only rejected when SDK Signature enforcement is on.
  • Instructions for Amazon S3 bucket exports
In the Adjust dashboard
  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > Raw Data Export > CSV Upload
  3. Select Select Events for Export
  4. Check rejected install and/or rejected reattribution
  5. In your CSV DEFINITION, include the {rejection_reason} placeholder
If a rejected install or rejected reattribution event occurs, it will appear in your CSV file upload with the {rejection_reason} column containing invalid_signature.

Why should I opt in for App Secrets and signatures for SDK traffic?

Although the Adjust SDK communicates with Adjust’s servers using encrypted communication channels, i.e., HTTPs, this data can be intercepted and read by fraudsters.  The information acquired in such an “attack” can then be used to generate illegitimate installs.

This is where our SDK Signature scheme comes to the rescue. The way our SDK computes a signature from the App Secret (a value only known by the app publisher and Adjust) allows our servers to verify the legitimacy of all incoming installs. 

If a fraudster tampers with important data (e.g., install time or device-specific identifiers) submitted during an install then our servers will detect this and reject the install. 

On this topic