Published: January 12, 2026
Chrome 143 introduces updates to the Federated Credential Management (FedCM) API to improve privacy, developer experience, and browser interoperability. These changes are based on feedback from identity providers (IdPs), relying parties (RPs), and the web community.
The key updates are:
- Support for structured JSON responses
- Stricter validation for client metadata
- API consistency improvements
Support structured JSON responses from the ID assertion endpoint
Previously, the FedCM ID assertion endpoint
required the token property in its response to be a string. This forced
developers to manually serialize data into a JSON string on the server and parse
it on the client.
Starting in Chrome 143, the ID assertion endpoint
supports a structured JSON object as the value for the token property, for
example:
{
"token": {
"access_token": "a1b2c3d4e5f6...",
"user_info": {
"email": "jane.doe@company.example",
"given_name": "Jane",
"family_name": "Doe"
}
}
}
This change removes the need for manual JSON serializing and parsing, and allows IdPs to return additional information.
Try this feature out with the FedCM demo or refer to the Implement FedCM on the Identity Provider side guide for up-to-date information on how the updated ID assertion endpoint response is structured.
Validate client metadata
To better protect user privacy, FedCM is strengthening validation for IdP endpoints. This change prevents an IdP from matching an RP to a unique ID passed as a path parameter.
If your FedCM configuration
uses the client_metadata endpoint, you must include the accounts_endpoint and
login_url in your .well-known/web-identity file. From Chrome 145, the browser
enforces the accounts_endpoint parameter in the well-known file.
{
"accounts_endpoint": "/example-accounts",
"login_url": "/example-login"
}
For more details, see the FedCM implementation guide.
API consistency and error handling updates
Chrome 143 introduces two changes to improve FedCM API clarity and consistency across browsers, aligning with web ecosystem feedback.
Relocate the nonce parameter
Starting from the version 145, Chrome discontinues support for the top-level
nonce parameter. You must pass the nonce parameter within the params object
in the navigator.credentials.get() call:
const credential = await navigator.credentials.get({
identity: {
providers: [{
// Don't pass nonce as a top-level parameter here
configURL: "/fedcm.json",
clientId: "123",
params: {
// Place nonce within the params object
nonce: "a-random-nonce"
}
}]
}
});
Ensure your server-side logic expects the nonce within the params object in
the ID assertion endpoint.
Rename IdentityCredentialError.code to IdentityCredentialError.error
To prevent naming collisions with the built-in DOMException.code property,
IdentityCredentialError.code has been renamed to IdentityCredentialError.error.
This change will be enforced starting in Chrome 145.
try {
// FedCM API call
} catch (e) {
// Renamed IdentityCredentialError.code to IdentityCredentialError.error:
console.log(e.error);
}
To ensure backward compatibility during the transition period (Chrome 143 and
144), check for both code and error properties in your error handling logic.
This ensures your solution works in older browsers while users update to newer
versions of Chrome:
// In older browsers, the property might still be named 'code'
// during the transition period
const errorCode = e.error ?? e.code;
if (errorCode) {
// Handle specific error types
} else {
console.error("An unknown error occurred", e);
}
Learn more in the Return an error response section of the FedCM documentation.
Share your feedback
We value your input as we continue to develop and improve FedCM. If you have feedback or encounter any issues:
- File an issue on our GitHub repository.
- Join our developer newsletter mailing list to stay up-to-date with the latest announcements.