Skip to main content
Privacy Sandstorm
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Privacy Sandstorm
  2. /
  3. Privacy Sandbox Proposals
  4. /
  5. Federated Credential Management API
Edit page

Federated Credential Management API

Important
This API is still being maintained by Google in Chrome, even after the deprecation announcement of most other Privacy Sandbox APIs.

Overview

The Federated Credential Management (FedCM) API allows identity providers to build an SSO-login infrastructure facilitated by compatible web browsers that does not require the use of third-party cookies or redirects.

How does it work?

A relying party (RP) can allow users to sign-in using their credentials and account on a trusted third-party identity provider (IdP) by using the FedCM API. The browser mediates requests and information exchange between the RP and IdP through the FedCM API by:

  • Gathering user content to login to the RP with the IdP.

  • Recording if a relationship has been established between specific IdPs and RPs.

  • Providing features to the IdP and RP specific to the user consent provided.

  • API:

    • JS:
      • navigator.credentials.get()
      • navigator.recordFederatedLogin()
      • IdentityCredential.disconnect()
      • navigator.login.setStatus("logged-in"/”logged-out”)
    • HTTP headers: Sec-FedCM-CSRF
    • Permissions Policy on iframe: allow="identity-credentials-get"

  • Documentation

  • MDN Documentation

  • Explainer

Analyses

gdoc_arrow_left_alt Brave 2021 Post ACSAC 2024 Paper gdoc_arrow_right_alt