Sec-Private-State-Token-Crypto-Version header

The HTTP Sec-Private-State-Token-Crypto-Version Fetch Metadata Request Header is used by the Private State Token API during token issuance to indicate to the issuer server which cryptographic protocol version should be used to sign blinded nonces when generating tokens.

At the time of writing, there is only one version supported, but this mechanism makes it possible to support multiple versions in the future.

Note that a developer wouldn't be expected to generate Sec-Private-State-Token-Crypto-Version request headers — these are created automatically by the browser when invoking private state token token-request fetch requests.

Header type	Fetch Metadata Request Header
Forbidden request header	Yes (`Sec-` prefix)
CORS-safelisted request header	No

Syntax

http

Sec-Private-State-Token-Crypto-Version: <string>

Servers should ignore this header if it contains any other value.

Directives

<string>: A string containing the cryptographic protocol version that should be used by the issuer server to sign blinded nonces when generating tokens.

Examples

http

Sec-Private-State-Token-Crypto-Version: PrivateStateTokenV1VOPRF

Specifications

Specification
Private State Token API # sec-private-state-token-crypto-version

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Dec 16, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content