Permissions-Policy: otp-credentials

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Permissions-Policy header otp-credentials directive controls whether the current document is allowed to use the WebOTP API to request a one-time password (OTP) from a specially-formatted SMS message sent by the app's server, i.e., via navigator.credentials.get({otp: ..., ...}).

Specifically, where a defined policy blocks the use of this feature, the Promise returned by navigator.credentials.get({otp}) will reject with a SecurityError DOMException.

Syntax

http
Permissions-Policy: otp-credentials=<allowlist>;
<allowlist>

A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for otp-credentials is self.

Specifications

Specification
WebOTP API
# sctn-permissions-policy

Browser compatibility

BCD tables only load in the browser

See also