Can I secure the output feed in Mergado?#
Why secure your output feed#
The output feed from Mergado contains all the data you send to advertising platforms (e.g. Heureka, Google, or Facebook) after editing. Although this feed is typically only read by the platform you share it with, it’s understandable that you want to protect your advertising data and keep unauthorized people out.
How Mergado protects output feeds#
Mergado doesn’t support password-protecting output feeds (HTTP authentication), but access to output feeds is naturally restricted thanks to their unique and undiscoverable URLs.
1. Long hash in the URL#
Every output feed generated by Mergado has a unique URL containing a long security key (hash). This hash is impossible to guess, making the feed not publicly discoverable or indexable by search engines.
Your output feed URL will look something like this: https://data.mergado.com/12345/export_87f14aab7e9d4c21.xml
Only those you share the URL with (e.g. the advertising platform the output feed is intended for) will know the address.
2. Access via secure HTTPS#
All communication between Mergado and target platforms uses the encrypted HTTPS protocol, so feed data cannot be read or intercepted during transfer.
3. Access logging#
Mergado records the history of feed downloads (including date, time, IP address, and server response). This lets you monitor whether only expected platforms are downloading the feed, or whether someone unauthorized is accessing it.
You can find download information on the History page of each project, where you can filter recorded events to show only Downloads and see when and who downloaded the output feed.
Tip! For easier searching, we recommend downloading the filtered download history as a CSV file and opening it in Excel, where you can search for specific user agents, group data, or apply additional filters.
4. Protection via the Symlink Stork extension#
If you want full control over who can access your output feed, you can use the Symlink Stork extension. It lets you allow access to your output feed URL only from selected IP addresses. Learn more about Symlink Stork and this feature here.
How to get a new output feed URL for an existing project#
In Project Settings, you can generate a new security key (hash) for the existing URL. This changes the 32-character random string in the original URL.
To generate a new hash:
- In the selected project, go to the Settings page.
- Next to the Output feed field, click the pencil icon.
- Check the I know what I’m doing checkbox.
- Confirm by clicking Generate new URL.
- The output URL change takes effect after the next data export.
- If you don’t want to wait for automatic regeneration, run the export manually. Go to the Settings page, click the Regeneration tab, and click Run export. Once the export finishes, you’ll see the updated output feed URL on the Overview page.
Tip! Changing the output feed URL affects all connected services. Don’t forget to check the services where you use this URL and update it wherever needed.
Another option for getting a completely new output feed URL is to duplicate the project and then delete the original. During duplication, most information is carried over from the original project, but a new unique output feed URL is created for the duplicate. You can then delete the original project (which also removes its output feed URL) and replace the original URL on advertising channels with the new one.
Learn more about project duplication in this article.
FAQ#
Is it possible to password-protect the output feed?#
No, output feeds in Mergado can’t be password-protected (e.g. via HTTP authentication). However, they are protected by their unique URL, which cannot be guessed or publicly found through search engines.
How is the output feed protected?#
Each output feed has its own unique URL containing a long security key (hash). This makes the feed non-indexable, and only those you share the link with (e.g. Heureka, Google, Facebook) know the address. Additionally, Mergado transfers all data via the encrypted HTTPS protocol, so it can’t be read during transfer.
Can I find out who is downloading the output feed?#
Yes. On the History page of each project, you can view feed download records — when downloads occurred, from which IP address, and what server response was returned. This lets you check whether only expected systems (e.g. Heureka, Google) are downloading the feed, or if someone else is accessing it. You can also filter and export the download history to CSV for further analysis.
What if I want the output feed to have a new URL?#
You can get a new output feed URL in two ways:
1. Generate a new security key (hash): In the project, go to Settings and next to the Output feed field, click the pencil icon. Check I know what I’m doing and confirm by clicking Generate new URL.
This changes the 32-character security key in the original URL. The URL change takes effect after the next data export. If you don’t want to wait for automatic regeneration, you can run the export manually in Settings → Regeneration → Run export. Once the export finishes, you’ll find the updated URL on the Overview page.
Tip: The URL change affects all services that use this address (e.g. advertising platforms or analytics systems). Don’t forget to update it in those places.
2. Duplicate the project: If you need a completely new URL, you can duplicate the project. The new project keeps most settings but gets a new unique output feed URL. You can then delete the original project, removing its output feed URL, and replace it with the new address on advertising channels.
Learn more about project duplication in this article.
Why doesn’t Mergado support traditional password protection?#
Password protection would prevent direct access for advertising systems (e.g. Heureka or Google), which connect to the feed automatically and can’t enter login credentials. A unique URL with a hash is therefore a safer and more universal solution that doesn’t limit your campaign functionality.
Can I restrict output feed access to specific IP addresses?#
Yes, you can. If you want only specific servers to access your output feed, use the Symlink Stork extension. It lets you set up access so that only selected IP addresses can reach the output feed — all other access attempts will be blocked. This gives you maximum control over who can download your data.