Federated Credential Management (FedCM) API
Limited availability
This feature is not Baseline because it does not work in some of the most widely-used browsers.
Experimental:This is anexperimental technology
Check theBrowser compatibility table carefully before using this in production.
TheFederated Credential Management API (orFedCM API) provides a standard mechanism foridentity providers (IdPs) to make identity federation services available on the web in a privacy-preserving way, without the need forthird-party cookies and redirects. This includes a JavaScript API that enables the use of federated authentication for activities such as signing in or signing up on a website.
FedCM concepts
Identity federation is the delegation of user authentication from a website requiring user sign-up or sign-in, such as an e-commerce or social networking site (also known as arelying party or RP), to a trusted third-party identity provider (IdP) such as Google, Facebook/Meta, GitHub, etc.
RPs can integrate with IdPs, allowing users to sign-in using the accounts they have registered with the IdP. Identity federation via a small set of dedicated IdPs has improved web authentication in terms of security, consumer confidence, and user experience, as compared to each site managing its own sign-in needs with separate usernames and passwords.
The problem is that traditional identity federation relies on<iframe>s, redirects, and third-party cookies, which are also used for third-party tracking. Browsers are limiting the usage of these features in an effort to preserve user privacy, but a side effect is that this makes valid, non-tracking uses more difficult to implement, which includes identity federation.
This affects federated sign-in in general, as well as more specific identity federation use cases:
- OIDC front-channel logout: This flow requires the IDP to embed several RP
<iframe>s, which rely on RP cookies. - Social Widgets: In order to provide social widgets, the IdP third-party cookie must be provided from the RP top-level origin.
- Personalized buttons: The display of personalized sign in information on a
<button>in the RP origin is implemented as an IdP<iframe>that requires third party cookies. - Session Refresh without top-level navigation or popups.
FedCM aims to work around this problem, providing a dedicated mechanism for federated identity flows on the web, and enabling supporting browsers to provide special UI elements on RPs, allowing users to choose an IdP account to use for sign-in.
There are two parts to using the FedCM API, which are covered in the linked guides below:
- IdP integration with FedCM — what an identity provider needs to provide so that an RP can integrate with it.
- RP federated sign-in — the FedCM functionality an RP needs to use to sign a user in using their IdP account. A FedCM sign-in request is initiated using the
navigator.credentials.get()method.
Note:Google Sign In is an example of an IdP that already supports FedCM.Migrate to FedCM provides instructions for RPs wishing to migrate existing apps using Google Sign In to federated sign-in.
Permissions Policy integration and<iframe> support
Theidentity-credentials-getPermissions-Policy can be used to control permission to use FedCM.More specifically, it permits usage of the following methods:
Developers can explicitly grant permission for an<iframe> to use FedCM via theallow attribute:
<iframe src="3rd-party.example" allow="identity-credentials-get"></iframe>The availability of FedCM within<iframe>s enables a couple of use cases:
- Larger sites won't want a third-party sign-in script to gain control over the top-level frame; instead they will want to add that script and invoke FedCM from within an
<iframe>. - Some
<iframes>may themselves require federated authentication.
Interfaces
IdentityCredentialRepresents a user identity credential arising from successful federated authentication. A successful
navigator.credentials.get()call that includes anidentityoption fulfills with anIdentityCredentialinstance.IdentityCredentialErrorRepresents an authentication error indicating that the user agent did not receive an identity assertion after the user has asked to authenticate using a federated credential.
IdentityProviderRepresents an IdP and provides access to related information and functionality.
NavigatorLoginDefines login functionality for IdPs, including the
Navigator.login.setStatus()method forupdating IdP login status.
Extensions to other interfaces
CredentialsContainer.get(), theidentityoption.identityis an object containing details of federated IdPs that a relying party (RP) website can use to sign users in. It causes aget()call to initiate a request for a user to sign in to an RP with an IdP.Navigator.loginProvides access to the browser's
NavigatorLoginobject.
HTTP headers
Set-LoginProvides an HTTP mechanism forupdating login status via HTTP.
Examples
For example code, see:
- Implement an identity solution with FedCM on the Identity Provider side on developer.chrome.com (2025)
- Implement an identity solution with FedCM on the Relying Party side on developer.chrome.com (2025)
Specifications
| Specification |
|---|
| Federated Credential Management API # browser-api-identity-credential-interface |