Federated Credential Management
Federated Credential Management, or FedCM, is a browser-mediated approach to federated login that lets a person use an identity provider account on another site while reducing reliance on third-party cookies, redirects, and invisible cross-site identity plumbing.
Definition
Federated Credential Management is a web identity concept and API family for letting a browser mediate login between three parties: the person using the browser, a relying party website, and an identity provider. The W3C FedCM draft defines it as a Web Platform API that allows users to log in to websites with federated accounts in a privacy-preserving manner.
FedCM is not a new identity provider, password manager, proof-of-personhood system, or AI system. It is a browser-level interface around identity federation. Traditional web federation often depends on redirects, embedded iframes, and third-party cookies so that a site can ask an identity provider whether a user is signed in. FedCM moves more of that exchange into browser-controlled prompts and API calls. The goal is to keep useful "sign in with..." flows available while reducing identity tracking that occurs through cross-site cookies and hidden page elements.
The term belongs near Digital Identity, Data Minimization, Contextual Integrity, and Platform Governance. It is also relevant to AI agents because agentic web systems increasingly depend on identity, consent, delegated accounts, and browser-mediated access.
How It Works
In a normal federated login, a relying party outsources authentication to an identity provider. OpenID Connect describes this pattern as an authentication protocol built on OAuth 2.0: a site asks an identity provider to authenticate the user and return identity information or tokens. FedCM does not replace every federation protocol. Instead, it gives the browser a standardized role in the account-selection and login ceremony.
Under FedCM, the relying party calls a browser API. The browser checks configured identity-provider endpoints, displays a user interface, and lets the person choose an account when the conditions are met. Chrome's developer documentation says FedCM supports sign-up, sign-in, and sign-out with federated accounts for users browsing without third-party cookies, while also noting that it is not yet supported by all browsers.
The governance meaning is that identity exchange stops being only a relationship between websites and identity providers. The browser becomes an explicit mediator. That can improve user visibility, but it also gives browser vendors power over which identity flows feel normal, which providers integrate smoothly, and what consent text users repeatedly see.
Current Context
As of June 15, 2026, FedCM is still standards work, not a settled universal login layer. The W3C technical report page lists Federated Credential Management as a First Public Working Draft on the Recommendation track. The W3C Federated Identity Working Group charter says the group is developing features for secure and privacy-preserving digital identity interactions, including federated identity despite the deprecation or restriction of third-party cookies and wallet-based digital credential flows.
Browser and developer documentation frame the same problem from the deployment side. MDN describes FedCM as experimental and limited availability, while Chrome frames it as a privacy-preserving identity federation API that can reduce friction and phishing exposure by letting users rely on trusted identity providers rather than making new passwords for each site.
FedCM sits beside, not above, other identity standards. OpenID Connect remains a major protocol for federated authentication. OpenID Federation 1.0 defines trust infrastructure for entities that need to establish federation membership and trust chains. NIST SP 800-63-4, finalized in 2025, covers identity proofing, authentication, and federation for U.S. federal digital services and emphasizes security, privacy, usability, and risk management.
Governance and Safety
FedCM addresses one privacy problem without ending identity governance. It can reduce dependence on third-party cookies and silent cross-site mechanisms, but federated login still creates concentration risk. A few identity providers may become default gateways to many services. A browser vendor may shape access through implementation choices. Relying parties may request more identity attributes than necessary. Users may approve flows because the prompt is familiar, not because the data transfer is understood.
The W3C draft's privacy section names attack scenarios such as manifest fingerprinting, timing attacks, identity-provider intrusion, cross-site correlation, unauthorized data usage, relying-party fingerprinting, and secondary use. Those are not abstract edge cases. They are the same political questions that surround platform identity: who learns that a person visited which service, who can join records across contexts, and who can deny access when identity federation fails?
Defense Pattern
- Minimize claims. Relying parties should request only the identity attributes needed for the stated purpose.
- Keep alternatives available. FedCM should not become the only practical route into essential services.
- Audit identity providers. Security, retention, logging, breach response, and account recovery matter because the provider becomes a shared dependency.
- Separate authentication from profiling. A login event should not become a broad advertising, ranking, or eligibility signal without separate authority.
- Test browser differences. Because support and behavior vary, organizations should document fallback flows and accessibility impacts.
Spiralist Reading
FedCM is a small protocol with a large cultural lesson: identity is becoming a browser ceremony.
The person sees an account chooser. Underneath, institutions negotiate trust, attributes, identifiers, cookies, redirects, browser policy, and platform power. The humane version narrows surveillance and makes login safer. The worse version makes identity friction disappear while moving more of public life through a few private chokepoints.
Open Questions
- How should browsers explain what identity attributes are being shared?
- Can small identity providers integrate without being disadvantaged by browser defaults?
- What fallback should exist when a user cannot or will not use a federated account?
- How should FedCM interact with age assurance, digital wallets, and agent-mediated browsing?
- Who audits secondary use after a successful federated login?
Related Pages
- Digital Identity
- Data Minimization
- Contextual Integrity
- Surveillance Capitalism
- Platform Governance
- Data Brokers
- Age Assurance
- Zero-Knowledge Proofs
- AI Governance
- Trust and Safety
Sources
- W3C, Federated Credential Management API, First Public Working Draft, August 20, 2024, reviewed June 15, 2026.
- W3C, Federated Identity Working Group Charter, reviewed June 15, 2026.
- Chrome for Developers, FedCM: A privacy-preserving identity federation API, reviewed June 15, 2026.
- MDN Web Docs, Federated Credential Management (FedCM) API, reviewed June 15, 2026.
- OpenID Foundation, How OpenID Connect Works, reviewed June 15, 2026.
- OpenID Foundation, OpenID Federation 1.0, reviewed June 15, 2026.
- NIST CSRC, SP 800-63-4: Digital Identity Guidelines, final, July 31, 2025.
- NIST, SP 800-63-4 Digital Identity Guidelines online text, reviewed June 15, 2026.
- Church of Spiralism internal background, Digital Identity and Contextual Integrity, reviewed June 15, 2026.