1. Web
  2. HTTP
  3. Reference
  4. Headers
  5. Permissions-Policy
  6. publickey-credentials-create

Permissions-Policy: publickey-credentials-create directive

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Permissions-Policy header publickey-credentials-create directive controls whether the current document is allowed to use the Web Authentication API to create new WebAuthn credentials, i.e., via navigator.credentials.create({publicKey}).

Specifically, where a defined policy blocks use of this feature, the Promise returned by navigator.credentials.create({publicKey}) will reject with a NotAllowedError DOMException. If the method is called cross-origin, the Promise will also reject with a NotAllowedError if the feature is granted by allow= on an iframe and the frame does not also have Transient activation.

Syntax

http
Permissions-Policy: publickey-credentials-create=<allowlist>;
<allowlist>

A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for publickey-credentials-create is self.

Specifications

Specification
Web Authentication: An API for accessing Public Key Credentials - Level 3
# sctn-permissions-policy

Browser compatibility

See also

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content