Trust Tokens is a new API to convey trust from one context to another without passive tracking, in order to help combat fraud and distinguish bots from real humans.
Trust tokens enable an origin to issue cryptographic tokens to a user it trusts. Tokens are stored by the user's browser, and can later be redeemed in other contexts to confirm that the user is a real human.
For example, authenticity established for a user on a social media or email site can be conveyed to another site such as a news publisher or online store.
Find out more: Getting started with Trust Tokens.
This repo provides code to demonstrate Trust Token using BoringSSL to create an issuance service.
You can try out this demo online at trust-token-demo.glitch.me or download, build and run it yourself.
Find out more: Getting started with Trust Tokens.
Please note: this demo does not provide code suitable for production use. The Trust Tokens API is still experimental, and is undergoing an origin trial in Chrome. The Trust Tokens API and this demo may change without notice at any time.
Also be aware that the demo enables both issuance and redemption, whereas in real-world applications, issuers (sites that issue tokens) are likely to be different from redeemers (sites that redeem tokens).
The following instructions are oriented to a Linux environment, but could potentially be ported to MacOS, or run on Windows by using Windows Subsystem for Linux (in Windows 10) or by installing Cygwin or other environments.
Note that it takes several minutes to download the code, install and build BoringSSL (and cmake if necessary).
The Trust Token API is currently available as a Chrome origin trial. You can try out Trust Tokens online at trust-token-demo.glitch.me.
However, to run the demo yourself, you will need to register for a Trust Token origin trial token.
git clone git@github.com:JackJey/trust-token-demo.gitAll the commands below should be run from the top-level trust-token-demo directory:
cd trust-token-demoTo build this demo you will need the cmake build tool, which is pre-installed on many Linux distributions. On MacOS, you can use Homebrew to install cmake.
Run the install-boringssl.sh script to download and build BoringSSL:
./install-boringssl.shBuild the executable files required for the demo, using the BoringSSL library and the C files in the src directory as defined in the Makefile:
makeThe demo uses the Express HTTP server and other dependencies defined in package.json.
npm installRun npm start (defined in server.js) to start the demo server.
npm startOpen localhost:8000 to view the demo page defined in index.html.
By default, this demo runs on port 8000. You can change this by updating the scripts.start value in
package.json.
GET /.well-known/trust-token/key-commitment
key-commitment in JSON format used by the browser.
POST /.well-known/trust-token/request
Trust Token issuance request endpoint.
POST /.well-known/trust-token/redemption
SRR token redemption request endpoint.
POST /.well-known/trust-token/send-srr
Send SRR endpoint. This echoes back a Sec-Signed-Redemtption-Record header which the client can send
as a response.
bin/main is the build result of src/main.c.
There is a flag for each Trust Token operation:
$ main --issue $REQUEST
$ main --redeem $REQUEST
$ main --key-generateTake an issuance request (Sec-Trust-Token HTTP Header) and return an issuance response.
Take a redemption request (Sec-Trust-Token HTTP Header) and return a redemption response.
Generate private/public keys for a Trust Token and ED25519 key pair and save them in the ./keys directory.