brand.json file provides a standardized way for brands to claim their identity and establish discoverable brand information. It supports five variants to accommodate different publishing models.
brand.json is the canonical source of brand identity data. The brand object defined here (logos, colors, tone, tagline) is the single brand definition used across AdCP. Tasks reference brands by domain and brand_id — the system resolves full identity from brand.json or the registry.Motivation
Brand identity for a holdco could live in one brand.json owned by the parent — every child change requires editing the parent’s file. If Converse wants to update its logo, someone edits Nike, Inc.’s file. If a holdco runs 100 subsidiary brands, all 100 teams converge on the same monolithic document. Brand teams own their identity, but a monolithic shape forces a single ops choke point at the corporate parent. It also blocks independent brands from publishing at all — a brand listed in someone else’s portfolio has no protocol-level path to assert its own canonical data, even when domain control proves it could. The spec resolves this by letting a child brand publish its own canonical document while the house remains the authority for who is in the family. Inlinebrands[] stays a first-class option (parent owns the data); brand_refs[] adds pointer children whose canonical document lives elsewhere (child owns the data). A house mixes freely. The hierarchy is one level deep — only a house declares ownership; a brand cannot itself have children.
File location
Brands host thebrand.json file at:
Variants
The brand.json file supports five variants:
Variants 1–3 are mutually exclusive with each other and with variants 4–5. Variants 4 and 5 compose: a House Portfolio (4) can reference Brand Canonical Documents (5) via
brand_refs[], and a Brand Canonical Document can point back at its house via house_domain. See Mutual-assertion trust model for how the two halves resolve.
1. Authoritative Location Redirect
Points to a hosted brand.json at another URL:- Brand.json is hosted centrally (e.g., by a service provider)
- CDN distribution is needed
- Managed brand services
redirect_reason: structured signal for cache handling (acquisition,rebrand,regional,legacy,consolidation,other)redirect_effective_at: ISO timestamp when the redirect became effectivenote: free-text rationale
2. House Redirect
Points to the house domain that contains the full brand portfolio:region: ISO 3166-1 alpha-2 country code (e.g., “CN”)redirect_reason: structured signal for cache handling (see Redirect ergonomics)redirect_effective_at: ISO timestamp when the redirect became effectivenote: free-text rationale
- Brand domain is owned by a larger house
- Regional/localized domains point to main house
- Legacy domains redirect to canonical
Redirect ergonomics
Both redirect variants accept optionalredirect_reason and redirect_effective_at to help consumers handle redirect transitions without sitting on stale cached state.
redirect_reason is an enum:
redirect_effective_at (ISO 8601 timestamp) is the hard cache invariant: caches MUST treat any entry cached before this timestamp as stale and re-fetch through the redirect. The TTL-shortening guidance above is a SHOULD; this timestamp is a MUST and is the load-bearing fix for cache poisoning during M&A and other transitions.
This is the brand.json analogue to the migration patterns in IAB Tech Lab’s ads.txt (OWNERDOMAIN) and sellers.json (seller_type), which historically relied on out-of-band coordination — there was no machine-readable transition signal. redirect_reason + redirect_effective_at close that gap for brand.json.
Example — acquisition redirect:
3. Brand Agent
Designates an MCP agent that provides brand information:contact: Contact information
4. House Portfolio
The house publishes its brands. A house may carry inline child definitions, pointer references to brands that self-publish, or both:brands[]— inline child definitions. Parent owns the data. Best for sub-brands without their own domain (Nike SB, an internal product line) or sub-brands the holdco wants to manage centrally.brand_refs[]— pointer entries. Child owns the data at its own canonical document (variant 5). Best for sub-brands with their own domain that want self-publish authority (Converse, Jordan).
brands[] or brand_refs[] must be present.
Simple house (inline only):
brand_refs[] entry shape:
Trust semantics for the relationship between this entry and the child’s
house_domain claim are defined in Mutual-assertion trust model below.
House with delegation (WPP):
Holdcos delegate brand management to agency networks. WPP plc owns brands but Ogilvy or BBH actually runs them day-to-day. managed_by on a brand_refs[] entry captures this as a unilateral declaration by the owning house. The leaf brand doesn’t reference the manager. UIs render BBH Sport under BBH for agency views; trust validation walks BBH Sport → WPP only.
managed_by is a directory field, not a trust field. It exists so consumers can group brands by who actually runs them day-to-day — the canonical view a buyer-side DSP wants when shopping inventory across an agency network. Consumers MUST NOT use it for trust or authorization decisions; that line still flows through mutual assertion between leaf and house. See Conformance.
5. Brand Canonical Document
Self-published per-brand document where the brand owns its own identity attributes. Hosted at the brand’s own/.well-known/brand.json (or via authoritative location redirect). A brand may declare its house via house_domain or stand alone (no parent house — Patagonia, Liquid Death — omit the field). Trust semantics for the house_domain relationship are defined in Mutual-assertion trust model below.
With a house — Converse under Nike:
brands[].
Top-level fields specific to this variant:
All other brand-identity fields apply (
logos, colors, fonts, tone, tagline, visual_guidelines, keller_type, parent_brand, properties[], industries[], target_audience, description, agents[], contact, trademarks[], data_subject_contestation, etc. — see Brand definition for the full field list). The document MUST NOT carry house-only fields (house, brands, brand_refs, authorized_operators) or redirect fields (authoritative_location, house as string, region, note, redirect_reason, redirect_effective_at).
Mutual-assertion trust model
Trust resolves at two layers — brand identity (logos, colors, tone, tagline, etc.) and brand relationships (who owns this brand, who can speak for it). The two layers separate cleanly. Identity is verifiable from a single TLS-served document; relationships require both sides to reciprocate.
Key asymmetry. A leaf with verified TLS at its own domain is authoritative for its own identity attributes whether or not its parent claim is reciprocated. The relationship layer is what mutual assertion gates. A naïve “claimed, unverified ⇒ ignore the leaf entirely” reading is wrong — the leaf’s logos/colors/tone are still real.
Standalone trumps third-party claim. A Brand Canonical Document with no
house_domain is standalone. If some other house’s brand_refs[] lists it anyway, the leaf’s silence is dispositive: treat as standalone; the third-party claim is unverified metadata only. See Conformance for the normative statement.
Validation is a runtime check (the crawler fetches both documents and compares); the JSON Schema accepts the fields independently.
Self-healing through notification
The leaf-only edge case is common in practice — a sub-brand team stands up its own canonical document before the parent’s portfolio team has time to add the reciprocal entry. Today this leaves the brand stuck: identity is good, but media buys and governance decisions are blocked. The spec defines a self-healing loop. For houses without a brand-agent:- The house publishes a reachable
contact.emailat the top level of itsbrand.json. - When a consumer encounters a leaf-only edge — leaf claims
house_domain: A, A’sbrand_refs[]doesn’t include leaf — the consumer SHOULD notify A’scontact.emailthat a leaf is claiming reciprocation and is blocked pending verification. - The house team adds the entry to
brand_refs[]. On the next crawl/re-validation, the edge upgrades to mutual.
verify_brand_claim, the consumer asks the agent directly instead — see Agent-augmented verification below. The agent path surfaces richer states (pending_review, transferring, disputed, licensed_in) than the email loop can express, and when both house and leaf publish agents, mutual assertion completes via two signed agent calls without a static-file crawl.
Agent-augmented verification
When the brand publishes a brand-agent (variant 3 or atype: "brand" entry in agents[] on variant 4/5), the agent can be asked verification questions via verify_brand_claim — a single tool that takes a claim_type (subsidiary / parent / property / trademark) and returns the brand’s authoritative answer. The brand-agent is brand.json hidden behind a server: same data the static file carries, plus the richer states the static file can’t capture (pending_review, transferring, disputed, licensed_in, licensed_out).
The trust model is asymmetric by direction. Without this asymmetry, a malicious or mistaken house could claim subsidiaries it doesn’t own and have consumers extend trust on the strength of the signature alone.
When both house and leaf publish brand-agents, mutual assertion can complete at the agent layer: partner calls
verify_brand_claim with claim_type: "subsidiary" on the house AND with claim_type: "parent" on the leaf. Both owned → mutual assertion, real-time, signed by both parties, no crawl required. This is the cleanest path for trust extension.
Mutual assertion proves consistency between two parties, not standing. Two reciprocally-asserting agents at attacker-controlled domains can sign matching owned responses; mutual assertion confirms only that they agree, not that either has legitimate authority over the underlying brand. The final trust gate is still domain control + TLS — verified on the consumer side, against the legal/operational entity the consumer expects to own the domain. Mutual assertion at the agent layer is the floor; consumer-side standing checks (domain registration, real-world identity) are still the caller’s responsibility for high-trust decisions.
Agent responses are signed under the brand’s adcp_use: "response-signing" JWK. See the task reference for the full request/response shapes and per-claim-type details.
Field resolution
There is no inheritance/override block. Each consumer-side question has a single answer:
Identity fields (
name, names, logos, colors, fonts, tone, voice, tagline, visual_guidelines, avatar): brand-level value is authoritative; the house value is not consulted. Brand teams own brand identity.
Authorized Operator Resolution
authorized_operators[] entries may be scoped by brand, country, activity, and time. Consumers evaluating an operator relationship MUST ignore an entry when the current time is before valid_from or at/after valid_until. Omitted validity fields mean the house has not published a machine-readable start or end bound.
When scopes is omitted, consumers should treat the entry as backwards-compatible broad authorization for the listed brands and countries. When scopes is present, the operator is authorized only for the listed activities, or for all activities when it explicitly contains all.
authorized_operators[] does not replace publisher-side inventory authorization. For delegated or network inventory, buyers still need the publisher’s matching adagents.json authorization; the brand file establishes who may represent the brand or house, while adagents.json establishes who may sell a publisher’s inventory.
Compliance and governance fields: the resolved value is the strictest of the house-level and brand-level values. A brand cannot weaken a house’s governance assertions; it can only add stricter constraints. Applies to:
data_subject_contestation— both contacts SHOULD be presented to data subjects (consumers may use either; brand-level does NOT replace house-level)compliance_policies, audience exclusions, regulated-category flags — resolved as union (more restrictions wins)
Acquisitions and reorganizations
Existing redirect variants handle M&A natively:- Pre-deal:
dentsu.com/.well-known/brand.jsonis a House Portfolio. Dentsu brands’ canonical docs sayhouse_domain: "dentsu.com". - Deal closes: Dentsu’s
brand.jsonis replaced with a House Redirect →{ "house": "wpp.com" }. WPP adds the acquired brands tobrand_refs[]withmanaged_by: "dentsu.com"for ops continuity andeffective_atset to the deal-close date. - Post-deal: leaves still pointing at
house_domain: "dentsu.com"resolve through the redirect to WPP. Mutual-assertion verification follows the redirect chain (see Conformance) and holds. No urgent leaf migration needed.
Adopting brand_refs[] for an existing portfolio
An existing House Portfolio publisher (today on inlinebrands[]) doesn’t need to migrate. brand_refs[] is additive and pull-based — a brand moves out of brands[] only when its team decides to self-publish.
The migration path for a single brand:
- The child brand stands up
/.well-known/brand.jsonat its own domain as a Brand Canonical Document, declaringhouse_domain: "<house>". - The house team removes the child’s entry from
brands[]and adds{ domain, brand_id, effective_at }tobrand_refs[].brand_idMUST match the value the child uses; otherwise the cross-array uniqueness invariant doesn’t help future readers. - The crawler picks up the mutual assertion on next refresh.
contact.email to prompt step 2.
The AAO registry consumes both shapes today and will not re-classify a brand that moves from brands[] to brand_refs[] — the brand_id is the stable identifier across the migration.
Out of scope
The single-house, single-hop trust model deliberately doesn’t cover four shapes:- Joint ventures with two parents (Hulu pre-Disney, JVs in pharma, automotive partnerships). A leaf has at most one
house_domain. JV structures must pick one canonical parent or use a holding entity; the protocol won’t model two-parent ownership. - PE rollups and white-label arrangements that want opacity. Mutual assertion publishes ownership at well-known URLs. A holdco that wants to operate brands without public disclosure can use the existing monolithic
brands[]shape (which doesn’t expose the parent to leaf-domain crawlers) but cannot use mutual-assertion. Mutual assertion trades opacity for verifiability — that’s the design. - Jurisdictional governance divergence (e.g., a Marriott franchisee in Germany whose data-subject contestation rules differ from the US parent’s). Strictest-of resolution means brand-level publishers can only add constraints. A brand in a less-regulated jurisdiction cannot drop a house-level rule that doesn’t apply to it. Workaround: the house publishes the strictest applicable per-region rule.
- Standing licensed relationships as a static brand.json surface.
verify_brand_claimwithclaim_type: "trademark"can returnlicensed_in/licensed_outbecause the underlying relationships are real — Marriott franchisees use the MARRIOTT mark under license, music catalogs are licensed-out per territory, jurisdictional licensing splits (“licensed in CN, self-managed elsewhere”) are common. The brand-agent can speak to these from internal records. Butbrand.jsonitself doesn’t yet have a publishing surface for standing licensed relationships parallel tobrand_refs[]for ownership. The existing rights protocol (rights_agent,acquire_rights) handles transactional licensing — negotiate a deal — not standing declarations. This gap is real and tracked as a follow-up; the verify surface exposes the states because partners need to consume them, but the static-file substrate that backs them is a separate design alongside the rights-protocol team.
brand.json is the brand-identity surface; corporate legal structure and licensing-relationship publishing are their own concerns.
House definition
The house object represents the corporate entity:Brand definition
Each brand in thebrands array:
Names Array
Names are localized with language codes:Keller Types
Brand architecture classifications from marketing theory:Extended color roles
Thecolors object has five standard roles (primary, secondary, accent, background, text), but brands can and should provide additional roles for finer granularity. The schema accepts any additional color role via additionalProperties.
These extended roles help creative agents distinguish between text hierarchies and surface levels without guessing.
Visual guidelines
Thevisual_guidelines object provides structured rules that generative creative systems can use to produce on-brand assets consistently. These are brand constants — they don’t change campaign to campaign.
Visual guidelines complement the basic identity fields (
colors, fonts, logos). Colors define what the brand palette is; visual guidelines define how to use it. Fonts define font families; visual guidelines define the type scale.Photography
Controls how brand photography should look when selected or generated:Graphic style
Defines the visual language for brand graphics and illustrations:flat_illustration, geometric, gradient_mesh, editorial_collage, hand_drawn, minimal_line_art, 3d_render, isometric, photographic_composite.
Shapes
Brand shapes used as part of visual identity:Iconography
Icon style system and usage rules:Composition
Layout rules for overlays, textures, and backgrounds:none, subtle_grain, noise, paper, fabric, concrete. Intensity: low, medium, high.
Background types: solid_color, gradient, blurred_photo, image, video, pattern, transparent.
Border radius
Named border radius presets for UI components and layout elements. Border radius is one of the most visible brand differentiators — generous radii feel warm and approachable, while small or zero radii feel precise and editorial.
Additional named presets can be added beyond the five standard levels.
graphic_style.corner_radius defines a default radius for graphic/illustration elements. border_radius defines a named scale for UI components and layout — buttons, cards, inputs, modals.Elevation
Named shadow levels that define how elements appear to lift off the surface. Brands use elevation as identity — some prefer dramatic multi-layer shadows, others use a single diffuse shadow.box-shadow syntax. Generative systems can apply these directly.
Additional named levels (e.g.,
dropdown, tooltip) can be added.
Spacing
Spacing system for consistent layout rhythm. A base unit plus a named scale enables creative agents to produce correctly-spaced layouts without guessing.
The
scale object supports standard sizes (xs, sm, md, lg, xl, 2xl) and can include additional named values (e.g., 3xl, section).
Graphic elements
Reusable decorative or structural visual elements that are part of the brand identity — torn paper edges, watermarks, dividers, background patterns:Motion
Motion and animation rules for video, animated display, and interactive formats:Logo placement
Logo placement and clear space rules for automated creative production:Logo selection slots
Uselogos[].slots[] when a renderer needs to choose the right logo variant for a specific surface, such as a light logo card, dark logo card, profile mark, CTV end card, co-brand lockup, or marketplace listing. logos[].id gives downstream rules a stable target that does not depend on a mutable asset URL.
asset_group_id: "logo" for the manifest asset group. If a product narrows that slot with format_options[].params.slots[].logo_slots[], builders should select from brand.json logos[] where logos[].slots[] intersects the requested slots. If the format also declares required_logo_slots[], missing coverage should surface as a validation warning or approval mapping instead of falling back silently to prose.
visual_guidelines.logo_usage_rules[] can then apply placement constraints to a stable logo_id:
Color constraints
Usevisual_guidelines.color_constraints[] for machine-readable color usage and pairing rules, such as accent-only colors, forbidden background combinations, or colors that should never appear together.
color_ref uses an explicit kind discriminator: kind: "name" looks up a key in colors{}, kind: "value" carries a literal hex color, and kind: "surface" identifies a layout surface such as background, text, or logo_background.
Mark lockups
Usevisual_guidelines.mark_lockups[] for co-brand, partner, sponsor, program, or secondary-mark layout rules. These fields make ordering, spacing, separators, and size-ratio guidance queryable while leaving optical balancing to layout/render review.
Tooling notes: ingesting brand books
Tools that create a draftbrand.json from a brand-guide PDF should keep asset extraction and guideline interpretation separate.
Use deterministic extraction to produce candidate asset IDs:
- embedded PDF images for photography, mockups, raster icons, and examples
- rendered-page crops for vector logos, marks, color swatches, and logo specimens that are not embedded image files
logos[], assets[], colors, and visual_guidelines rules. The model should map back to known candidate IDs; it should not be treated as the source of original asset bytes.
A draft ingestion record can point from a proposed logo entry back to evidence:
logos[] until a reviewer confirms the crop, assigns the correct slots/backgrounds, and replaces the candidate file with a durable HTTPS logo asset URL. If the source PDF lacks hosted assets, operator authorization, or trademark evidence, that is an ingestion warning rather than a schema gap.
Public hosted asset promotion
AAO-hosted brand assets are for cases where a reviewer or verified owner has approved a private upload for publicbrand.json use. Extraction alone never publishes bytes. The private analysis artifact remains separate from the public asset row, and brand.json only receives the public URL after approval.
Recommended flow:
- Store the uploaded or extracted file privately for analysis.
- Present the candidate to the operator with the exact proposed
brand.jsondiff. - Require explicit approval before promotion.
- Promote the approved bytes to a stable public HTTPS URL.
- Write that public URL into
logos[].
brand.json: original filename, uploader user and organization when known, source flow, created time, content type, dimensions, hash, and whether the path was owner-attested, delegated, or community-submitted. Moderation and owner approval state are operational metadata; consumers should not need to parse them from the public URL.
Initial promotion limits are intentionally conservative: accept only image MIME types needed for logos (image/png, image/jpeg, image/webp, image/gif, and sanitized image/svg+xml), cap uploads at 5 MB, detect raster dimensions before publish, and either sanitize SVG aggressively or reject it until the sanitizer is enabled for the surface. Private signed URLs, file-viewer links, and analysis-only object paths must not appear in published brand.json.
Deletion should tombstone the public asset row instead of reusing the URL for unrelated bytes. Replacement should create a new asset URL and update brand.json to point at it. Previously published URLs may continue to serve the old approved bytes for cache stability, redirect to the replacement when there is a one-to-one successor, or return 404 after a legal/security takedown; they must never silently serve a different asset under the same ID.
Colorways
Named color pairings that define how colors work together. Allows a creative brief to reference “use my primary colorway” without specifying every color:Type scale
Typography scale defining sizes and weights for different text roles:font field references font roles defined in the brand’s fonts object ("primary", "secondary"), or can specify a font family name directly.
When sizes are in pixels, use base_width to indicate the reference canvas these sizes were designed for. Generative systems should scale proportionally for other canvas sizes — a 48px heading designed for 1080px width would scale to 14px on a 320px mobile leaderboard.
Asset libraries
References to managed asset libraries (icon sets, illustration systems, image collections). URLs are for human access — a brand portal, press kit, or DAM landing page that a person can open in a browser.
The
color_guide provides generative systems with the color palettes used in the library — useful for producing on-brand illustrations or icons without accessing the library itself.
Restrictions
Visual prohibitions and guardrails — the visual equivalent oftone.donts. These tell generative systems what to avoid:
Trademarks
Registered trademarks may appear at the house level (corporate marks — e.g., NIKE owned by Nike, Inc.) or at the brand level (brand-specific marks — e.g., CONVERSE owned by Converse). Both arrays are valid claims; resolution between them is union.Licensed-in / licensed-out relationships (Marriott franchisees using the MARRIOTT mark, music catalogs licensed per territory, etc.) are queryable via the brand-agent today through
verify_brand_claim with claim_type: "trademark". A static brand.json publishing surface for standing licensed relationships (parallel to brand_refs[] for ownership) is a future RFC alongside the rights-protocol team. The static trademarks[] array below covers ownership only; licensing posture comes from the agent.
Holdcos with cross-jurisdiction conflicts (USPTO
CONVERSE vs EUIPO CONVERSE under different owners) should publish each registration as a separate entry and use countries to scope where the mark applies.
Property definition
Properties are digital touchpoints associated with brands:Property types
Matches AdCP property-type enum:websitemobile_appctv_appdesktop_appdoohpodcastradiostreaming_audio
Property relationships
Properties default toowned — the brand operates the property directly. For networks and SSPs that sell inventory they don’t own, the relationship field declares the commercial arrangement:
This is the AdCP equivalent of
sellers.json — the operator’s public declaration of which publishers they work with. For delegated or network paths, the publisher confirms by setting the matching delegation_type on the agent’s authorization in their adagents.json. For first-party inventory, relationship: "owned" is the operator’s inline ownership declaration. Sell-side implementations need the operator’s brand.json claim and, when inventory is publisher-authorized or delegated, the publisher’s matching adagents.json authorization. See seller setup for the step-by-step sell-side pattern and ad networks for network-specific guidance.
Resolution algorithm
To resolve a domain to a canonical brand:- Fetch
https://{domain}/.well-known/brand.json. - Check variant:
- authoritative_location: fetch from that URL, continue from step 2.
- house (string): fetch from house domain, continue from step 2.
- brand_agent: return agent URL — the agent is authoritative.
- House Portfolio (
houseobject +brands[]and/orbrand_refs[]): for an inline child, find the brand whoseproperties[]oridmatches the query; for a pointer child, followbrand_refs[].domainand resolve once — the followed document MUST be a Brand Canonical Document, never another House Portfolio. - Brand Canonical Document (
id+namesat top level): the document is the brand. Ifhouse_domainis present, fetch the house’sbrand.jsonto verify reciprocation in itsbrand_refs[](mutual assertion). When the house side is itself a House Redirect, follow the redirect chain on the house side before comparing. Read corporate-level fields (e.g.,data_subject_contestation) from the house if not present on the brand; for compliance fields, resolve strictest-of house and brand (see Mutual-assertion trust model).
- Return canonical brand information.
Complete examples
Small Business
Enterprise with Agent
Multi-Brand Portfolio
Talent Agency with Rights
A talent agency managing athlete brands with licensable rights:rights_agent field tells crawlers what’s licensable without any MCP calls — available uses, rights type, and countries. Buyer agents can search the registry for “Dutch athletes available for voice licensing” and find matches from the indexed brand.json data.
Regional Domain Redirect
Onnike.cn/.well-known/brand.json:
Caching
Recommended cache TTLs:- Canonical files: 24 hours
- Redirect files: 24 hours
- Failed lookups: 1 hour
Conformance
These invariants MUST be enforced by validators and crawlers; JSON Schema cannot express them directly. Portfolio invariantsbrand_idcross-array uniqueness. A givenbrand_idMUST NOT appear in bothbrands[]andbrand_refs[]of the same house. Publisher must choose one.brand_idwithin-array uniqueness. A givenbrand_idMUST be unique withinbrands[]and unique withinbrand_refs[]of the same house.domainwithin-array uniqueness. Eachbrand_refs[].domainMUST be unique within the array. Two entries pointing at the same domain with differentbrand_idvalues is undefined — there can be only one canonical pointer per domain per house.house_domainplacement.house_domainMUST NOT appear on entries insidebrands[]. It is a Brand Canonical Document top-level field; an inline child cannot carry a parent pointer of its own.
- Mutual-assertion is the relationship-trust edge. Consumers MUST NOT extend relationship trust (auto-provisioning, member-feature inheritance, billable seat inclusion) through one-sided claims. Mutual assertion (child’s
house_domainmatches abrand_refs[]entry on the named house) is the canonical trust edge. - Identity is TLS-only. A leaf brand’s own identity attributes (logos, colors, tone, tagline, visual_guidelines) are authoritative based on the leaf’s TLS-served document alone, regardless of mutual-assertion state. A leaf-only relationship claim does not invalidate the leaf’s identity.
- House Redirects on the house side MUST be followed. When verifying mutual assertion, if the named house’s
brand.jsonis a House Redirect, the consumer MUST follow the redirect chain (up to the 3-hop limit) before comparingbrand_refs[]membership. Otherwise post-acquisition leaves silently lose trust. - Standalone trumps third-party claim. A Brand Canonical Document with no
house_domainis standalone, regardless of any third-party house’sbrand_refs[]claim about it. The leaf’s silence is dispositive. (Stated once here; descriptive prose elsewhere defers to this clause.) managed_byis a directory field, not a trust field. Consumers MUST NOT usemanaged_byfor trust or authorization decisions. Aggregation bymanaged_by(“show me everything BBH manages”) is the intended use — it’s an operational directory across houses, not a trust assertion.
- Compliance fields strictest-of. For governance fields — including
data_subject_contestation,compliance_policies,policy_categories, audience exclusions, regulated-category flags, and brand-leveldisclaimers[]that the house also publishes — the resolved value is the union/strictest of house-level and brand-level. Brand-level publishers MUST NOT rely on weakening house-level assertions. This is distinct from relationship trust — strictest-of is a resolution rule, not a trust gate. - Edge aging. Mutual-assertion edges SHOULD be aged: consumers SHOULD treat an edge as one-sided when the gap between the publisher-declared
brand_refs[].effective_at(or, if absent, the consumer’s first observation) and the last successful re-validation exceeds the consumer’s chosen TTL. AAO’s reference crawler ages at 180 days; consumers MAY choose differently.
- Leaf-only edges SHOULD trigger notification. When a consumer encounters a leaf claiming
house_domain: Xwith no reciprocal entry on X, the consumer SHOULD notify X’scontact.emailso the house team can complete the reciprocation. Notifying parties MUST rate-limit per{leaf, house}pair to avoid flooding. - Agent-augmented verification. When the named house publishes a brand-agent advertising
verify_brand_claimin itssupported_taskswith a relevantclaim_type(subsidiary / parent / property / trademark), consumers SHOULD call the agent in addition to performing crawl-based mutual-assertion inference. The trust model is asymmetric by direction: signeddisputed/not_oursoverrides any reciprocating claim (rejection is unilateral); signedowned/pending_review/transferring/licensed_*does NOT replace mutual-assertion verification — the reciprocating side must still confirm before relationship trust extends. When both sides have brand-agents, mutual assertion completes via two signed agent calls (subsidiaryon the house +parenton the leaf). The crawl path is the fallback when the agent is unreachable or returnsunknown. The email notification SHOULD continues to apply for houses without a brand-agent. See Agent-augmented verification for the full trust table.
Prior art
The mutual-assertion trust primitive mirrors the IAB Tech Lab’sads.txt and sellers.json reciprocal-publication model — and the app-ads.txt extension that proved the pattern moves cleanly from web bundles to mobile apps. A buyer is trusted as a seller’s reseller iff both sides publish the relationship at well-known URLs. Same trust shape, same non-cryptographic “who claims what about whom” verification, same fallback to one-sided / unverified for partial publication. A deployed, durable industry pattern.
The well-known URL plus structured JSON resource discovery shape predates ads.txt — see WebFinger (RFC 7033) and host-meta (RFC 6415) for the IETF analogue. brand.json borrows this convention via RFC 8615.
Within AdCP, the provenance verifier contract (seller-publishes / buyer-represents / seller-confirms) uses the same family of construction for a different field family.
Best practices
- Start simple: Begin with minimal brand.json and add complexity as needed
- Use redirects for subsidiaries: Point brand domains to house domain
- List all properties: Include regional domains, apps, and legacy domains
- Keep names current: Include localized names and common aliases
- Visual guidelines are optional: Add them when you need generative systems to produce on-brand assets consistently. Start with colorways and restrictions — they have the highest immediate impact.
- Keep portfolios lean: For house portfolios with many brands, include visual guidelines only on brands that need them. Full visual guidelines on every brand in a large portfolio increases file size significantly.