 Trusttokens is a new API to help combat fraud and distinguish bots from real humans without passive tracking. The Trusttokens API is part of the Privacy Sandbox, a series of proposals to satisfy cross-site use cases without third-party cookies or other tracking mechanisms. Now Trusttokens enable trust of a user in one context to be conveyed to another context without identifying the user or linking their identity across websites. When a user is shown to be authentic, for example, by account activity or by completing a capture challenge, say, on a website, the Trusttokens API can be used by the website to issue cryptographic tokens to the user. The tokens are securely stored by the user's browser and tokens can be redeemed later when there's a need to evaluate the user's authenticity. For example, to detect that a user is a real human and not a bot before allowing a comment to be posted on a blog post, for example, or before requesting and displaying an advertisement. So why do we need Trusttokens? Well, the web needs ways to convey trust signals which show that a user is who they say they are and not a bot pretending to be a human or a malicious third-party defrauding a real person or service. Fraud protection is particularly important for advertisers, ad platforms and publishers and content distribution networks or CDNs. Now, unfortunately, many existing mechanisms to propagate trustworthiness, so a website can be confident that an interaction is from a real human, rely on third-party cookies which have historically also been used for individual user tracking and are being phased out by browsers. Mechanisms to communicate trust must preserve privacy, enabling trust to be propagated across sites without individual user tracking. So, you know, how do Trusttokens work? Well, I'll take you through a typical example step-by-step in a bit more technical detail. Now, one caveat, the outline here corresponds to the current state of Trusttokens. The specifics of how the Trusttokens API is designed and implemented may evolve owing to origin trial testing, API development and other factors. Anyway, so this example shows a news website and it wants to check if a user is a real human and not a bot before displaying an ad. And, you know, ad fraud can be a significant problem, so this is an important use case. So, first up, the user visits a website known as an issuer. I've called them issuer.example. The actions performed by the user lead issuer.example to believe that they are a real human, you know, for example, like making purchases using an email account or successfully completing a capture challenge. Once issuer.example is satisfied that the user is genuine, it can make a request for Trusttokens from a Trusttokens service that it runs on its backend server. The issuer.example server responds with Trusttokens data and then the user's browser saves the Trusttokens data in special secure storage for Trusttokens. Now, later on, you know, the user visits a website like a news publisher that needs to verify that the user is actually a real human being, for example, when displaying ads. Now, with Trusttokens, this type of site is known as a redeemer because it will attempt to redeem Trusttokens to verify the user. The site uses the Trusttokens API to check if the user's browser has tokens stored for an issuer that the site trusts. And, you know, good news. Trusttokens are found for the issuer the user visited previously. In this example, the redeemer site, use.example, makes a request to the issuer, issuer.example, to redeem a Trusttoken that was stored by the user's browser. The issuer site responds with data, including what's called a redemption record. And the news site now makes a request to an ad platform, including the redemption record, to show that the user is trusted by the issuer to be a real actual human. Once the ad platform is satisfied by the redemption record that the request is for a real user, the platform provides the data required to display an ad. And the publisher site displays the ad. If all goes well, an ad view impression is counted by using a technology such as the Attribution Reporting API, which is another Privacy Sandbox initiative. In this process, sites can request a token for a user, but they cannot see sites that the user has visited. The service displaying the ad verifies the token, and the advertiser doesn't get information about the user's browsing activity. So that's an overview of the Trusttoken's API. To find out more, take a look at our article on web.dev, and we also have a demo that shows Trusttoken issuance and redemption. Now, if you have comments or feedback, you can create an issue on the API explainer on GitHub. And you can track implementations of all the Privacy Sandbox APIs on this status page. So thanks for watching, and be sure to check out the other videos in the Privacy Sandbox series.