Google recently announced that it is building Trust Token API for developer testing. A trust token has been one of the many theorized API solutions to combat fraud in online advertising while allowing trust to propagate from web entity to web entity. As Google prepares to discontinue support for third-party cookies, allowing for a trusted share of information continues to be a challenge, and the Trust Token API could be a viable solution.
“Trust tokens enable an origin to issue cryptographic tokens to a user it trusts,” Sam Dutton wrote on web.dev. “The tokens are stored by the user’s browser. The browser can then use the tokens in other contexts to evaluate the user’s authenticity. The Trust Token API allows trust of a user in one context (such as gmail.com) to be conveyed to another context (such as an ad running on nytimes.com) without identifying the user or linking the two identities.”
Google is actively pursuing the Trust Token API, but is looking for other alternatives as well. The company is in ongoing discussions with W3C and others as it looks for an alternative to cookies. It has already included other products to help combat fraud and promote trust such as Ad Transparency Spotlight, the Privacy Sandbox, and a new About this ad feature.
The Trust Token API follows the Privacy Pass protocol. The API is currently in the works, and the five key features currently include trust token issuance, trust token redemption, forwarding redemption attestation, trust-bound keypair, and request signing, and private metadata. At the GitHub site, Google has published more details on the API's development, privacy considerations, security considerations, potential extensions, and more.