A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

Credential Management API proposed at W3C


There is a Credential Management API currently being proposed by the WebAppSec Working Group at the W3C. The spec is heading for First Public Working Draft.

I think it would be great to get some independent commentary on this from the greater community as the work is being reviewed in a public forum (the the WG’s public mailing list) and there is a standing call for consensus which ends on 17 April.

Two other groups at the W3C (Web Payments Interest Group and Credentials Community Group) have raised some concerns around the compatibility of the spec with their work, specifically their in-progress Identity Credentials specification.

There is no consensus at this stage on whether this spec should be held back pending collaboration from the other groups or go ahead to FPWD in it’s current form.

What do you think of the spec and further, do you think it should be adapted to consider the Identity Credentials spec?


I just spent some time reviewing the spec and filing issues. Overall it looks like a great improvement over the status quo, that adds valuable new capabilities to browsers, and (very importantly) is easy to implement and use without dragging along a lot of conceptual baggage (linked data etc.). It solves a minimal set of use cases without trying to solve the entire “credentials problem” or “identity problem.”

I don’t think the Identity Credentials spec is really relevant to the problem presented here, nor does it show any sign of being grounded in the reality of what browsers and web servers implement today. If those groups want to continue developing that spec then that seems fine but I’m not sure how they expect to get any adoption.


I get the feeling the API is very extensible in nature with the lightest touch methods approached first.

I’m not really understanding the reasons for the objections more than the issues that I mentioned around cross platform support, however Mike has already spoke about how implementations can resolve that somewhat and there is an open issue to clarify.


I’ve started reading it, exciting stuff!

I was wondering if we Would there be a certificate based credential type? (link to thread).