Device Bound Session Credentials: Second origin trial begins

Daniel Rubery
Daniel Rubery
José Luis Zapata

Device Bound Session Credentials (DBSC) begins its second origin trial, starting in October 2025. This phase expands testing to real-world environments and incorporates developer feedback from the first trial. The origin trial is scheduled to run until early February 2026.

What's new in this origin trial

This release focuses on improving reliability, consistency, and clarity in the DBSC flow, while introducing new features that provide more flexible integration.

Expanded capabilities

  • Cross-site session support: If you have multiple sites sharing the same authentication backend, you can configure DBSC sessions to share keys across those sites.
  • New diagnostic header: The new Secure-Session-Skipped header explains why a refresh request did not complete, improving observability during testing.

Key protocol and compatibility updates

The DBSC flow includes several notable technical changes:

  • Header name changes: Most headers start with the Secure-Session- prefix instead of Sec-Session.
  • New JWT schema: A new JWT schema improves consistency and standardization across implementations.
  • HTTP status update: DBSC uses 403 Forbidden instead of 401 Unauthorized in challenge flows.
  • Minor field changes: Some parameters, such as include_site, are required instead of optional.

For a detailed list of updates, see the Chromium hotlist. Also, see the integration guide.

Platform availability

This origin trial is available on Windows devices with Trusted Platform Modules (TPM). Support for other platforms will expand.

How to participate

If you're testing DBSC for the first time, begin manual testing by following the testing guide. DevTools integration is in progress, so debugging relies on Chrome histograms and network logs.

When your implementation is ready, register for an origin trial token:

Add your token to the page that issues the Secure-Session-Registration header, that is, typically your login page. You don't need the token on refresh or registration endpoints.

Learn more

Share your feedback

We're excited to see how you adopt DBSC to protect your sessions against cookie theft and hijacking. Share your experience and report issues on the GitHub repository.

By participating in this origin trial, you're helping shape the next generation of web session security.