Who's really selling this impression? The 2026 state of supply-chain transparency

Every bid request is a claim. It says: this impression is real, it’s on this domain, and I’m authorized to sell it to you. For most of programmatic’s history, buyers had no way to check that claim. They took it on faith — and fraudsters took the budget.

ads.txt and sellers.json were the industry’s answer. Two plain-text files that turned an opaque supply chain into something a buyer could actually read. Nearly a decade on, those files are more load-bearing than ever. And in 2026, the fight over what else buyers should be allowed to see has become the defining story in programmatic.

Here’s where transparency actually stands — the foundations, the gaps, and what changed this year.

The two files that made the supply chain legible

Programmatic media moves through a chain of intermediaries: a publisher’s site or app, one or more exchanges and SSPs, sometimes a reseller or two, and finally a DSP buying on behalf of an advertiser. Each hop is an opportunity to misrepresent what’s being sold. The IAB Tech Lab’s transparency standards exist to make every hop declarable and checkable.

ads.txt (Authorized Digital Sellers). Launched in 2017, ads.txt is a file a publisher hosts at the root of its own domain — publisher.com/ads.txt. It lists exactly which exchanges and SSPs are authorized to sell that publisher’s inventory, and under what seller ID. If a bid request claims to be selling publisher.com through an account that isn’t in that file, the buyer knows to walk away. It was the single most effective blow ever struck against domain spoofing, and adoption was near-universal within two years.

app-ads.txt. The same idea, extended to mobile, CTV, and OTT — where there’s no browser URL to anchor identity. The file lives on the developer’s website, and the app’s store listing points to it. For connected-TV inventory in particular, app-ads.txt is the difference between a verifiable app and an unaccountable one.

sellers.json. ads.txt names the seller’s account; sellers.json tells you who that account actually is. It’s a public file hosted by each exchange listing every seller operating on it, whether each one is selling its own inventory (PUBLISHER), reselling someone else’s (INTERMEDIARY), or both. Cross-reference the two and a buyer can resolve a seller ID into a real, named business.

The SupplyChain object (schain). The files describe the supply chain at rest. The SupplyChain object describes it in motion. It rides inside the OpenRTB bid request and records every entity that touched the impression on its way to the auction — a runtime receipt for the path the inventory actually took.

ads.txt tells you who’s allowed to sell the impression. sellers.json tells you who they are. The SupplyChain object proves who actually did.

Used together, the three give a buyer something the open web never had: the ability to look at a bid request and answer “who am I really buying from, and is the whole chain legitimate?” without taking anyone’s word for it.

ads.txt 1.1: ownership versus monetization

The standard wasn’t frozen in 2017. The most consequential update, ads.txt 1.1, shipped in August 2022 and remains the current version in 2026. It added two directives that closed a real gap:

• OWNERDOMAIN declares the business that actually owns the inventory — useful when one company operates many domains, or when sites change hands.
• MANAGERDOMAIN declares the partner responsible for monetizing it, for publishers represented by a sales house or ad-management partner.

The distinction matters because ownership and monetization are often two different companies, and buyers increasingly want to know both — who profits from the inventory, and who’s the most direct path to buy it. The Tech Lab now recommends declaring OWNERDOMAIN on every ads.txt file, even when it’s identical to the host domain, precisely so the absence of a signal stops being ambiguous.

The gap the files still leave

A standard is only as good as its adoption and accuracy — and this is where 2026 gets honest. Per IAB Tech Lab supply-chain data, roughly 8–9% of bid requests still come from sellers with no sellers.json entry at all, and a further slice carry a sellers.json record with no declared seller domain. In-app is worse than web on both counts.

That residue is where ambiguity — and risk — concentrates. The files made the legible part of the supply chain trustworthy. They did nothing for the part that simply declines to fill itself out. Transparency, it turns out, is not a feature you ship once. It’s a participation rate you defend continuously.

2026: the transparency reckoning

If the 2017–2022 era was about who is authorized to sell, 2026 is about a harder question: can you trust the auction itself? Four threads converged this year.

The transaction-ID fracture. For years, OpenRTB’s source.tid was the single thread stitching an auction together — one shared ID, consistent across every participant, so buyers and sellers could reconcile the same opportunity. In August 2025, Prebid began issuing bidder-specific transaction IDs to reduce data leakage and protect publisher pricing. Defensible goal, real side effect: the industry lost its one common reference point, and the debate over whether buyers are owed a shared ID — versus whether that ID leaks publisher data — is now openly contested.

Bid duplication and the waste it hides. The same underlying impression routinely surfaces across multiple SSPs as “distinct” bid requests, inflating apparent competition and muddying price. OMD’s Ben Hovaness has pegged the cost of this duplication at roughly five cents on every programmatic dollar, for no benefit to anyone. Zoom out and the picture is starker: the ANA estimates around $20 billion in annual open-web programmatic waste, with only about 36 cents of each dollar reaching the publisher after fees and infrastructure.

Curation steps into the light. As buyers consolidate onto fewer, curated supply paths, a new question emerged: who actually assembled this deal? The IAB Tech Lab’s Deals API v1.0 — out for public comment through January 2026 — answers it by making the seller, packager, and curator roles explicit in a deal’s metadata, so every party can see where and how they’re included, and by whom. Curation without that disclosure is just a fee with better branding.

Regulators noticed. The AMERICA Act, reintroduced by Senator Mike Lee in March 2025, would bar companies above $20 billion in annual ad revenue from operating multiple layers of the supply chain at once — a structural answer to conflicts of interest that the industry has so far addressed only with disclosure.

All of which produced the year’s clearest signal that transparency has moved from plumbing to politics: in April 2026, the IAB Tech Lab launched a Programmatic Governance Council. Co-chaired by buy- and sell-side leaders and seating Dentsu, Omnicom, WPP, Disney, Magnite, PubMatic, Hearst, News Corp, Yahoo, Amazon Ads, The Trade Desk, Raptive and Mediavine, its remit is auction transparency, consistent transaction signals, and alignment on what “trustworthy programmatic execution” even means — with first recommendations promised within 90 to 120 days. As Tech Lab CEO Tony Katsur put it, it won’t “be all puppy dogs and rainbows.” That it exists at all says the foundational files are no longer enough on their own.

What it means for publishers and buyers

The takeaway isn’t to wait for a council. It’s that transparency is now a yield and quality strategy, not a compliance checkbox.

1. Keep your declarations clean and current. A complete, correct ads.txt / app-ads.txt and sellers.json presence — with OWNERDOMAIN and MANAGERDOMAIN declared — is table stakes. Stale or missing entries don’t just fail audits; they quietly route your inventory into the 8–9% buyers are learning to discount.

2. Audit your supply paths, don’t just count them. The win of recent years isn’t more demand — it’s fewer, verifiable paths. Median SSP counts per advertiser are already falling as curation takes hold. Favor the path you can prove over the one that merely promises reach.

3. Get log-level data rights in writing. You can’t reconcile a supply chain you can’t see. Far too few buyers actually hold the contractual right to their own log-level data. Put it in the IO and the MSA.

4. Treat the bid request as the unit of trust. Domain-level allow-lists were the last decade’s tool. The questions that matter now — duplication, curation, the integrity of the auction — live inside the bid request itself.

The shorter path is the honest one

The files did their job: they made it possible to know who’s allowed to sell an impression. The frontier of 2026 is proving who actually sold it, what they added, and what they charged to be in the middle. That’s not a documentation problem anymore — it’s an architecture one.

We think the answer is the same one we built Lumorrow on: transparency works best when it’s designed into the auction, not bolted on after it clears. A supply chain you can read in real time, with the shortest honest path between a publisher and a buyer, isn’t a compliance artifact. It’s the product.

---

Lumorrow is an AI-native exchange built for verifiable, short supply paths across web, CTV, and OTT. See how the platform works → or explore what it means for publishers →.