publickey-credentials-get
Permissions-Policy Identity

Overview

The publickey-credentials-get directive controls whether Web Authentication (WebAuthn) via navigator.credentials.get({ publicKey }) may authenticate using public-key credentials (passkeys and security keys). Its default allowlist is self, and it matters for authentication inside embedded login frames.

Details

`publickey-credentials-get=(self)` limits it to the document's own origin, `publickey-credentials-get=()` blocks it entirely, and `publickey-credentials-get=(self "https://login.example.com")` delegates to a named origin. For an embedded SSO/login widget iframe to perform WebAuthn authentication, the parent must delegate with `<iframe allow="publickey-credentials-get">`; without it, a cross-origin frame's credentials.get() fails.

When the policy denies it, the Promise returned by navigator.credentials.get({ publicKey }) rejects with a NotAllowedError. WebAuthn works only in a secure context and requires a user gesture. Note that publickey-credentials-create, which corresponds to credential registration (navigator.credentials.create), is a separate directive; this one covers only the authentication (get) flow.

Syntax

Permissions-Policy: publickey-credentials-get=(self "https://login.example.com")

Notes

Related directives