← Back to release summary

Private State Token API

Category

Miscellaneous

Type

New or changed feature

Status

Enabled by default (Chrome 115)

Intent stage

Prepare to ship

Summary

This is a new API for propagating user signals across sites, without using cross-site persistent identifiers like third party cookies for anti-fraud purposes. Anti-fraud methods that rely on third party cookies will not work once third party cookies are depreciated. The motivation of this API is to provide means to fight fraud in a world with no third party cookies.  Private State Token API does not generate or define anti-fraud signals. This is up to the corresponding first party and the token issuers. The API enforces limits on the information transferred in these signals for privacy concerns. Private State Token API is based on the Privacy Pass protocol from the IETF working group. It can be considered as a web-exposed form of the Privacy Pass protocols.  Private State Token API spec is to be updated for new versions and types of tokens. The API will be kept up to date with the Privacy Pass working group specs. Expected changes would be in the underlying cryptographic protocols and token issuance code. We do not expect changes in the developer facing fetch API. The Private State Token API was formerly known as the Trust Token API. It is renamed to more accurately capture the underlying semantics and to highlight the privacy benefits to users.

Motivation

The web ecosystem relies heavily on building trust signals to detect fraudulent or spammy actors. One common way this is done is via tracking an individual browser’s activity across the web, usually via associating stable identifiers across sites. Preventing fraud is a legitimate use case that the web should support, but it shouldn’t require an API as powerful as a stable, global, per-user identifier. In third party contexts, merely segmenting users into trusted and untrusted sets seems like a useful primitive that also preserves privacy. This kind of fraud protection is important both for CDNs, as well as for the ad industry which receives a large amount of invalid, fraudulent traffic.

Standards & signals

• Specification: https://wicg.github.io/trust-token-api
• Firefox: Negative
• Safari: No signal — Supportive of similar technology https://developer.apple.com/news/?id=huqjyh7k
• Web developers: Positive — A limited set of developers provided feedback on Private State Tokens, indicating that the tool was valuable for anti-fraud capabilities while also acknowledging some utility challenges (1). Other developers also found that Private State Tokens provided ability for authentication purposes (as illustrated by its use in the Privacy Sandbox k-Anonymity Server) (2). The team has evaluated the feedback and made updates to the proposal based on the ecosystem input.  1: https://github.com/antifraudcg/meetings/blob/main/2022/yahoo-trust-token.pdf 2: https://github.com/WICG/trust-token-api/issues/110
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1014199

Docs: https://docs.google.com/document/d/1TNnya6B8pyomDK2F1R9CL3dY10OAmqWlnCxsWyOBDVQ/edit

Explainers: https://github.com/WICG/trust-token-api

View on chromestatus.com