Private State Tokens | Privacy Sandbox | Google for Developers (2024)

Privacy Sandbox

English
Deutsch
Español
Español – América Latina
Français
Indonesia
Italiano
Polski
Português – Brasil
Tiếng Việt
Türkçe
Русский
עברית
العربيّة
فارسی
हिंदी
বাংলা
ภาษาไทย
中文 – 简体
中文 – 繁體
日本語
한국어

Privacy protections

Implementation status

Chrome Platform Status.
In origin trial Chrome 84 to 101: now closed.
Demo.
Chrome DevTools integration.

What are Private State Tokens?

Private State Tokens enable trust in a user's authenticity to be conveyed fromone context to another, to help sites combat fraud and distinguish bots fromreal humans—without passive tracking.

An issuer website can issue tokens to the web browser of a user who showsthat they'retrustworthy, for example through continued account usage, by completing a transaction, or by gettingan acceptable reCAPTCHA score.
A redeemer website can confirm that a user is not fake by checking if they have tokens from anissuer the redeemer trusts, and then redeeming tokens as necessary.

Private State Tokens are encrypted, so it isn't possible to identify an individual or connect trusted anduntrusted instances to discover user identity.

Why do we need Private State Tokens?

The web needs ways to establish and convey trust signals which show that a user is who they saythey are, and not a bot pretending to be a human or a malicious third-party defrauding a real personor service. Fraud protection is particularly important for advertisers, ad providers, andCDNs.

Unfortunately, many existing mechanisms to gauge and propagate trustworthiness—to work out if aninteraction with a site is from a real human, for example—take advantage of techniques that can alsobe used for fingerprinting. Mechanisms to convey trust must preserve privacy, enabling trust to bepropagated across sites without individual user tracking.

With the Private State Token API, a website can issue cryptographic tokens to a user it trusts, which canlater be used elsewhere. The tokens are stored securely by the user's browser, and can then beredeemed in other contexts to confirm the user's authenticity. This allows trust of a user on onewebsite (such as a social media site or email service) to be conveyed to another website (such as apublisher or online store) without identifying the user or linking identities across sites.

How do Private State Tokens work?

In this example a publisher website wants to check if a user is a real human, and not a bot, before displaying an ad.

A user visits a website (known as an issuer) and performs actions that lead the site tobelieve that the user is a real human, such as making purchases, using an email account orsuccessfully completing reCAPTCHA.
The issuer site uses the Private State Token JavaScript API to trigger a request for trust tokens forthe user's browser.
The issuer site responds with token data.
The user's browser securely stores data for the trust token.
The user visits a different website (such as a news publisher) that wants to verify if the useris a real human: for example, when displaying ads.
The site uses the Private State Token API to check if the user's browser has trust tokens stored forissuers that the site trusts.
Private state tokens are found for the issuer the user visited previously.
The publisher site makes a request to the issuer to redeem the trust tokens.
The issuer site responds with a Redemption Record.
The publisher site makes a request to an ad platform, including the Redemption Record to showthat the user is trusted by the issuer to be a real human.
The ad platform provides the data required to display an ad.
The publisher site displays the ad.
An ad view impression is counted.

Chrome DevTools turns on inspection from the Network and Application tabs. Readmore about this DevTools integration and about Private State Tokens.

How do websites handle tokens from multiple trusted issuers?

The site can check a user's browser for valid tokens withdocument.hasTrustToken() for one issuer at a time. If this returns true anda token is available, the site can redeem the token and stop looking forother tokens.

The website must decide which token issuers to check and in what order.

Use cases

Private State Tokens (PST) support a range of anti-fraud use cases. At its core,PST can act as an additional trust signal because the API is able to encodepieces of information that can help convey trust from one context to another. Asthird-party cookies go away, we recognize that it will be critical to make surethat use cases such as the following can still function as needed. All of thePST use cases require both issuers and redeemers to work together. You may liketo consider PST if you have use cases similar to any of the following:

Anti-fraud services: Preventing fraud is a legitimate use case that the web should support, but it shouldn't require a stable, global, per-user identifier. In third-party contexts, PST can be used for segmenting users into trusted and untrusted sets.
Analyzing ad fraud: PST can be useful for analyzing fraudulent clicks, impressions, and bot schemes in ad tech services.
Bot detection: After you run your analysis on whether a browser is a bot or not, PST can help encode that information to be shared from one context to another.
Secure payments: To detect threats that are harder to identify in a third-party context with limited information (like carding), PST can be used as an additional signal to convey trust.
Anti-abuse services in ecommerce: Detecting bots in ecommerce interactions (clicks, checkout, purchase, product ratings, chat bots, returns) is very important to avoid page scraping and non-human interactions. This can be an important additional signal to detect automated agents for third-party anti-fraud providers in ecommerce platforms.
CDN services: PST provide a mechanism to aid in the reporting and detection of fraudulent traffic.

This list of use cases is not an exhaustive list of all anti-fraud capabilitiesthat may benefit from Private State Tokens. The list is also not mutuallyexclusive, PST may benefit multiple anti-fraud workflows.

User journeys

Issuance and redemption are the key components of Private State Tokens. Whilethe previous use cases are the key areas where PSTs would be supported, you canthink about the following moments in certain user journeys as the instanceswhere you would actually want to issue or redeem tokens:

Issue tokens during Account Management Flows (Login, Sign up, Password Reset, and so on)
Issue tokens after confirming a multi-factor authentication (MFA)
Issue tokens after high risk actions such as deleting payment history
Redeem tokens for cross-site confirmation before moderate risk actions
Redeem tokens for cross-site confirmation before high risk actions

Origin trial: Now closed.
Demo: The Trust Tokens origin trial has closed, but you can still check out the demo.
GitHub: Read the proposal, raise questions andfollow discussion.
W3C: Discuss industry use cases in the Improving Web Advertising BusinessGroup.
IETF: Provide technical input for the underlying protocol in the IETFPrivacyPassworking group.
Developer support: Ask questions and join discussions on thePrivacy Sandbox Developer Support repo.
Origin trial questions: file a Chromium bug or respond to the feedback form that is sent to you as an origin trial participant.

Find out more

Private State Token API technical explainer
Getting started with Private State Tokens: an overview for web developers
Getting started with Chrome's origin trials
Digging into the Privacy Sandbox

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-04-18 UTC.