How the Private State Tokens API works

The Private State Tokens API relies on a two-party system:

  1. Issuers: These are providers who issue tokens containing information about a browser's level of trust. For instance, a user completing a CAPTCHA might increase their trust level with the issuer. If you're interested in becoming a Private State Tokens issuer, you'll need to complete the Issuer registration process.
  2. Redeemers: These are websites or third-party embed owners who require a trust signal for actions like logins or payment transactions. They redeem the tokens issued to users by an issuer.

Here's a sample flow of issuance and redemption of Private State Tokens: 

ISSUANCE
  1. Unknown user visits a website that uses an anti-fraud service. This is the first time that the user has visited a site with the anti-fraud service and is therefore unknown.
  1. Anti-fraud service confirms user authenticity. The service may observe the user, give them a challenge, use two factor authentication to prove their trustworthiness, or any other combination of mechanisms.
  1. Token issued with a cryptographic key indicating trust level. The service issues a token with a value that corresponds to a level of trust with the user. This token is stored in the browser and stays with the user as they browse.
 REDEMPTION
  1. Same user visits another website that uses the same anti-fraud service. The anti-fraud service checks to see if it has previously stored any tokens in the user’s browser.
  1. Anti-fraud provider redeems tokens and reads stored value. The anti-fraud service can read the previously stored cryptographic key and decide if the user needs additional authorization to continue.

Here's how the Private State Tokens API works in this scenario:

  • Issuance: When a user logs in or interacts with a website (SiteA) in a way that builds trust (for example, browsing history, account activity), SiteA can issue a Private State Token. This token represents the user's trust level without revealing any personal details.
  • Redemption: When the user proceeds to a checkout or payment page (potentially on a different site, SiteB), SiteB can request to redeem the token. The browser securely transmits the token to SiteB.
  • Anti-fraud confirmation: SiteB uses the token to assess the user's trust level, helping to prevent fraudulent transactions. The token itself doesn't contain personal data, preserving user privacy.

This process enables websites to enhance security and combat fraud while respecting user privacy.

Learn more about how the Private State Tokens API works in the developer documentation.

Was this helpful?

How can we improve it?
true
Search
Clear search
Close search
Main menu
222897270158825503
true
Search Help Center
true
true
true
false
false
false
false