Private State Tokens

Implementation status

What are Private State Tokens?


Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without passive tracking.

  • An issuer website can issue tokens to the web browser of a user who shows that they're trustworthy, for example through continued account usage, by completing a transaction, or by getting an acceptable reCAPTCHA score.
  • A redeemer website can confirm that a user is not fake by checking if they have tokens from an issuer the redeemer trusts, and then redeeming tokens as necessary.

Private State Tokens are encrypted, so it isn't possible to identify an individual or connect trusted and untrusted instances to discover user identity.

Why do we need Private State Tokens?

The web needs ways to establish and convey trust signals which show that a user is who they say they are, and not a bot pretending to be a human or a malicious third-party defrauding a real person or service. Fraud protection is particularly important for advertisers, ad providers, and CDNs.

Unfortunately, many existing mechanisms to gauge and propagate trustworthiness—to work out if an interaction with a site is from a real human, for example—take advantage of techniques that can also be used for fingerprinting. Mechanisms to convey trust must preserve privacy, enabling trust to be propagated across sites without individual user tracking.

With the Private State Token API, a website can issue cryptographic tokens to a user it trusts, which can later be used elsewhere. The tokens are stored securely by the user's browser, and can then be redeemed in other contexts to confirm the user's authenticity. This allows trust of a user on one website (such as a social media site or email service) to be conveyed to another website (such as a publisher or online store) without identifying the user or linking identities across sites.

How do Private State Tokens work?

In this example a publisher website wants to check if a user is a real human, and not a bot, before displaying an ad.

  1. A user visits a website (known as an issuer) and performs actions that lead the site to believe that the user is a real human, such as making purchases, using an email account or successfully completing reCAPTCHA.
  2. The issuer site uses the Private State Token JavaScript API to trigger a request for trust tokens for the user's browser.
  3. The issuer site responds with token data.
  4. The user's browser securely stores data for the trust token.
  5. The user visits a different website (such as a news publisher) that wants to verify if the user is a real human: for example, when displaying ads.
  6. The site uses the Private State Token API to check if the user's browser has trust tokens stored for issuers that the site trusts.
  7. Private state tokens are found for the issuer the user visited previously.
  8. The publisher site makes a request to the issuer to redeem the trust tokens.
  9. The issuer site responds with a Redemption Record.
  10. The publisher site makes a request to an ad platform, including the Redemption Record to show that the user is trusted by the issuer to be a real human.
  11. The ad platform provides the data required to display an ad.
  12. The publisher site displays the ad.
  13. An ad view impression is counted.

Is tooling available for Private State Tokens?

Chrome DevTools turns on inspection from the Network and Application tabs. Read more about this DevTools integration and about Private State Tokens.

How do websites handle tokens from multiple trusted issuers?

The site can check a user's browser for valid tokens with document.hasTrustToken() for one issuer at a time. If this returns true and a token is available, the site can redeem the token and stop looking for other tokens.

The website must decide which token issuers to check and in what order.

Engage and share feedback

Find out more