Private State Token The Private State Token API is a web platform API that allows propagating a limited amount of signals across sites, using the Privacy Pass protocol as an underlying primitive.
Private State Tokens enable an origin to issue cryptographic tokens to a user it trusts. Tokens are stored by the user's browser, and can later be redeemed in other contexts to confirm that the user is a real human.
For example, authenticity established for a user on a social media or email site can be conveyed to another site such as a news publisher or online store.
Find out more: Private State Tokens | Chrome Developers
This repo provides code to demonstrate Private State Token using BoringSSL to create an issuance service.
You can try out this demo online at private-state-token-demo.glitch.me or download, build and run it yourself.
The following instructions are oriented to a Linux environment.
Note that it takes several minutes to download the code, install and build BoringSSL (and cmake if necessary).
git clone [email protected]:GoogleChromeLabs/private-state-token-demo.gitAll the commands below should be run from the top-level private-state-token-demo directory:
cd private-state-token-demoTo build this demo you will need the cmake build tool.
Run the install-boringssl.sh script to download and build BoringSSL:
./install-boringssl.shBuild the executable files required for the demo, using the BoringSSL library and the C files in the src directory as defined in the Makefile:
makeThe demo uses the Express HTTP server and other dependencies defined in package.json.
npm installRun npm start (defined in server.js) to start the demo server.
npm startOpen demo with Chrome which enabled Private State Token API & Key Commitment for Issuer.
on MacOS:
open -a "Google Chrome" --args \ --additional-private-state-token-key-commitments='{ "https://private-state-token-issuer.glitch.me": { "PrivateStateTokenV1VOPRF": { "protocol_version": "PrivateStateTokenV1VOPRF", "id": 1, "batchsize": 1, "keys": { "1": { "Y": "AAAAAQQ7W5gOubJT3kTpzNGsekT9RZPXgXGrOMB2+QPw/ZzAuLrM3kc8eyHuTc1KmKjH4sh5+ev5GCI4HVVd46o6rWvNvk0iZQtVuUPhT8X54Ajebng8v5zUnpnPuTjGqlc7+MM=", "expiry": "1915356984440000" } } } } }'on Linux:
google-chrome --args \ --additional-private-state-token-key-commitments='{ "https://private-state-token-issuer.glitch.me": { "PrivateStateTokenV1VOPRF": { "protocol_version": "PrivateStateTokenV1VOPRF", "id": 1, "batchsize": 1, "keys": { "1": { "Y": "AAAAAQQ7W5gOubJT3kTpzNGsekT9RZPXgXGrOMB2+QPw/ZzAuLrM3kc8eyHuTc1KmKjH4sh5+ev5GCI4HVVd46o6rWvNvk0iZQtVuUPhT8X54Ajebng8v5zUnpnPuTjGqlc7+MM=", "expiry": "1915356984440000" } } } } }'Open localhost:3000 to view the demo page.
By default, this demo runs on port 3000. You can change this by adding PORT environment like below.
PORT=8080 npm startGET /.well-known/private-state-token/key-commitment
key-commitment in JSON format used by the browser.
GET /private-state-token/issuance
Private State Token issuance request endpoint.
GET /private-state-token/redemption
Private State Token redemption request endpoint.
GET /private-state-token/send-srr
Send SRR endpoint. This parses Sec-Redemption-Record header which the client send and send back Redemption Record as a response.
bin/main is the build result of src/main.c.
There is a flag for each Private State Token operation:
$ main --issue $REQUEST
$ main --redeem $REQUEST
$ main --key-generateTake an issuance request (Sec-Trust-Token HTTP Header) and return an issuance response.
Take a redemption request (Sec-Trust-Token HTTP Header) and return a redemption response.
Generate private/public keys for a Private State Token and ED25519 key pair and save them in the ./keys directory.
- Private State Token API explainer
- The Chromium Projects: Private State Token API
- Origin Trials Guide for Web Developers
- BoringSSL
This is not a Google product.