 Private State Tokens is an API to help combat fraud and distinguish bots from real humans, but without passive tracking. The Private State Tokens API is part of the Privacy Sandbox, a series of proposals to satisfy cross-site use cases without third-party cookies or other tracking mechanisms. Private State Tokens enable trust of a user in one context to be conveyed to another without identifying the user or linking their identity between these two contexts. When a user is shown to be authentic, for example, by account activity or by completing a capture challenge on a website, the Private State Tokens API can be used by the website to issue cryptographic tokens to the user. The tokens are securely stored by the user's browser in local database files, and tokens can be redeemed later when there's a need to evaluate the user's authenticity. For example, to detect that a user is a real human and not a bot before allowing a comment to be posted on a blog post or before requesting and displaying an advertisement. So why do we need Private State Tokens? Well, the web needs ways to convey trust signals which show that a user is who they say they are and not a bot pretending to be a human or a malicious third party defrauding a real person or service. Fraud protection is particularly important for advertisers, ad platforms, publishers, and content distribution networks, or CDNs. Now unfortunately in the past, many existing mechanisms to propagate trustworthiness, so a website can be confident that an interaction is actually from a real human, have relied on third party cookies, which have historically also been used for individual user tracking and are being phased out by browsers. Mechanisms to communicate trust must preserve privacy, enabling trust to be propagated across sites but without individual user tracking. So how do Private State Tokens actually work? Well, I'll take you through a typical example step by step in a bit more technical detail. Now in this example, a news website wants to check whether a user is a real human and not a bot before displaying an ad. Ad fraud can be a significant problem, so this is an important use case. So first up, a user visits a website that includes JavaScript to get tokens from a service known as an issuer, and I've called them issuer.example. Then the user might visit store.example, which can query and redeem tokens from issuer.example. Now the actions performed by the user lead issuer.example to believe that they are actually a real human, you know, such as making purchases using an email account or successfully completing a capture challenge. Once issuer.example is satisfied that the user is genuine, it can make a request for Private State Tokens from a token service that it runs on its backend server. The issuer.example server responds with token data, and then the user's browser saves the token data in special secure storage for Private State Tokens. Later on, the user visits a website, such as a news publisher, that needs to verify that the user is actually a real human being, for example, when displaying ads. With Private State Tokens, this type of site is known as a redeemer, because it will attempt to redeem Private State Tokens to verify the user. The site uses the Private State Tokens API to check if the user's browser has tokens stored for an issuer that the site trusts. And good news, Private State Tokens are found for the issuer the user visited previously. In this example, the redeemer site, use.example, makes a request to the issuer, issuer.example, to redeem a token that was stored by the user's browser. The issuer site responds with data, including a redemption record. And the news site now makes a request to an ad platform, including the redemption record, to show that the user is trusted by the issuer to be a real actual human. Once the ad platform is satisfied by the redemption record that the request is for a real user, the platform provides the data required to display an ad. Then the publisher site displays the ad, and if all goes well, an ad view impression is counted by using a technology such as the attribution reporting API, which is another Privacy Sandbox technology. In this process, sites can request a token for a user, but they cannot see sites that the user has visited. The service displaying the ad verifies the token, and the advertiser doesn't get information about the user's browsing activity. So that's an overview of the Private State Tokens API. To find out more, take a look at our article on developer.chrome.com. We also have a demo that shows issuance of tokens and redemption. If you have comments or feedback, you can create an issue on the API explainer on GitHub. And you might also want to consult the Private State Tokens API spec. You can track implementations of all the Privacy Sandbox APIs on this status page. So thanks for watching, and be sure to check out the other videos in the Privacy Sandbox series.