Trust Tokens is a new API to enable a website to convey a limited amount of information from one browsing context to another (for example, across sites) to help combat fraud, without passive tracking.
- In origin trial Chrome 84 to 94.
- Register for the trial.
- Chrome DevTools integration.
- Chrome Platform Status.
What are Trust Tokens?
Trust Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without passive tracking.
- An issuer website can issue tokens to the web browser of a user who shows that they're trustworthy, for example through continued account usage, by completing a transaction, or by getting an acceptable reCAPTCHA score.
- A redeemer website can confirm that a user is not fake by checking if they have tokens from an issuer the redeemer trusts, and then redeeming tokens as necessary.
Trust tokens are encrypted, so it isn't possible to identify an individual or connect trusted and untrusted instances to discover user identity.
Trust Tokens are not a replacement for reCAPTCHA or other mechanisms for determining whether or not a user is who they say they are.
Trust Tokens are a way to convey trust in a user, not establish trust in a user.
Why do we need Trust Tokens?
The web needs ways to establish and convey trust signals which show that a user is who they say they are, and not a bot pretending to be a human or a malicious third-party defrauding a real person or service. Fraud protection is particularly important for advertisers, ad providers, and CDNs.
Unfortunately, many existing mechanisms to gauge and propagate trustworthiness—to work out if an interaction with a site is from a real human, for example—take advantage of techniques that can also be used for fingerprinting. Mechanisms to convey trust must preserve privacy, enabling trust to be propagated across sites without individual user tracking.
With the Trust Tokens API, a website can issue cryptographic tokens to a user it trusts, which can later be used elsewhere. The tokens are stored securely by the user's browser, and can then be redeemed in other contexts to confirm the user's authenticity. This allows trust of a user on one website (such as a social media site or email service) to be conveyed to another website (such as a publisher or online store) without identifying the user or linking identities across sites.
How do Trust Tokens work?
In this example a publisher website wants to check if a user is a real human, and not a bot, before displaying an ad.
- A user visits a website (known as an issuer) and performs actions that lead the site to believe that the user is a real human, such as making purchases, using an email account or successfully completing reCAPTCHA.
- The issuer site responds with token data.
- The user's browser securely stores data for the trust token.
- The user visits a different website (such as a news publisher) that wants to verify if the user is a real human: for example, when displaying ads.
- The site uses the Trust Tokens API to check if the user's browser has trust tokens stored for issuers that the site trusts.
- Trust tokens are found for the issuer the user visited previously.
- The publisher site makes a request to the issuer to redeem the trust tokens.
- The issuer site responds with a Redemption Record.
- The publisher site makes a request to an ad platform, including the Redemption Record to show that the user is trusted by the issuer to be a real human.
- The ad platform provides the data required to display an ad.
- The publisher site displays the ad.
- An ad view impression is counted.
Engage and share feedback
- Origin trial: Register and take part in the Chrome origin trial.
- Demo: Try out trust token issuance and redemption.
- GitHub: Read the proposal, raise questions and follow discussion.
- W3C: Discuss industry use cases in the Improving Web Advertising Business Group.
- IETF: Provide technical input for the underlying protocol in the IETF Privacy Pass working group.
- Developer support: Ask questions and join discussions on the Privacy Sandbox Developer Support repo.