publickey-credentials-getThe publickey-credentials-get directive controls whether Web Authentication (WebAuthn) via navigator.credentials.get({ publicKey }) may authenticate using public-key credentials (passkeys and security keys). Its default allowlist is self, and it matters for authentication inside embedded login frames.
`publickey-credentials-get=(self)` limits it to the document's own origin, `publickey-credentials-get=()` blocks it entirely, and `publickey-credentials-get=(self "https://login.example.com")` delegates to a named origin. For an embedded SSO/login widget iframe to perform WebAuthn authentication, the parent must delegate with `<iframe allow="publickey-credentials-get">`; without it, a cross-origin frame's credentials.get() fails.
When the policy denies it, the Promise returned by navigator.credentials.get({ publicKey }) rejects with a NotAllowedError. WebAuthn works only in a secure context and requires a user gesture. Note that publickey-credentials-create, which corresponds to credential registration (navigator.credentials.create), is a separate directive; this one covers only the authentication (get) flow.
Permissions-Policy: publickey-credentials-get=(self "https://login.example.com")