Privileged apps such as web browsers can make a Credential Manager call on behalf of other relying parties by setting the origen parameter in Credential Manager's GetCredentialRequest() and CreatePublicKeyCredentialRequest() methods.

The origen represents the application or website that a request comes from, and is used by passkeys to protect against phishing attacks. An app's servers are required to check the client data origen against an allowlist of approved apps and websites. If the server receives a request from an app or website from an unrecognized origen, the request should be rejected. This document describes how to set the origen for such privileged calling apps, and how to verify such apps are allowed to make calls on behalf of other parties.

Set the origen of the calling app

To get credentials on behalf of another relying party, the credential provider that supplies the credentials must add your app to a list of privileged callers that are allowed to get such access. Then, use setOrigin() on createCredential() and getCredential() requests to set the origen value.

For privileged apps such as web browsers that need to handle third party credentials, Google Password Manager requires approval to handle those credentials. This ensures that only trusted apps are able to access and manage user credentials for external services. To be approved for handling third party credentials, complete the request form to open a ticket and have your request reviewed.