Permissions-Policy: publickey-credentials-create directive

{{SeeCompatTable}}

The HTTP {{HTTPHeader("Permissions-Policy")}} header publickey-credentials-create directive controls whether the current document is allowed to use the Web Authentication API to create new WebAuthn credentials, i.e., via {{domxref("CredentialsContainer.create","navigator.credentials.create({publicKey})")}}.

Specifically, where a defined policy blocks use of this feature, the {{jsxref("Promise")}} returned by navigator.credentials.create({publicKey}) will reject with a NotAllowedError {{domxref("DOMException")}}. If the method is called cross-origin, the {{jsxref("Promise")}} will also reject with a NotAllowedError if the feature is granted by allow= on an iframe and the frame does not also have {{glossary("Transient activation")}}.

Syntax

Permissions-Policy: publickey-credentials-create=<allowlist>;

• <allowlist>
  • : A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for publickey-credentials-create is self.

Specifications

{{Specifications}}

Browser compatibility

{{Compat}}

See also

• {{HTTPHeader("Permissions-Policy")}} header
• Permissions Policy
• Web Authentication API
• {{DOMxRef("PublicKeyCredential")}} interface