index.html

<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <title>WebOTP API</title>
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <link href="https://www.w3.org/StyleSheets/TR/2016/cg-draft" rel="stylesheet">
  <meta content="Bikeshed version 4d0641293, updated Tue Mar 16 15:42:04 2021 -0700" name="generator">
  <link href="http://wicg.github.io/WebOTP" rel="canonical">
  <link href="logo-otp.png" rel="icon">
  <meta content="49d29df4f523738e5bba16108d6ea70536777348" name="document-revision">
<style>
dl.domintro dt {
    font-family: Menlo, Consolas, "DejaVu Sans Mono", Monaco, monospace;

    padding-top: 0.5em;
    padding-bottom: 1em;
}
dl.domintro dt a {
    color: inherit; border-bottom-style: none;
}
dl.domintro dt code {
    font-size: inherit;
}
</style>
<style>/* style-autolinks */

.css.css, .property.property, .descriptor.descriptor {
    color: var(--a-normal-text);
    font-size: inherit;
    font-family: inherit;
}
.css::before, .property::before, .descriptor::before {
    content: "‘";
}
.css::after, .property::after, .descriptor::after {
    content: "’";
}
.property, .descriptor {
    /* Don't wrap property and descriptor names */
    white-space: nowrap;
}
.type { /* CSS value <type> */
    font-style: italic;
}
pre .property::before, pre .property::after {
    content: "";
}
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {
    content: "‘";
}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {
    content: "’";
}

[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after {
    content: "";
}

[data-link-type=element],
[data-link-type=element-attr] {
    font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
    font-size: .9em;
}
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after  { content: ">" }

[data-link-type=biblio] {
    white-space: pre;
}</style>
<style>/* style-colors */

/* Any --*-text not paired with a --*-bg is assumed to have a transparent bg */
:root {
    color-scheme: light dark;

    --text: black;
    --bg: white;

    --unofficial-watermark: url(https://www.w3.org/StyleSheets/TR/2016/logos/UD-watermark);

    --logo-bg: #1a5e9a;
    --logo-active-bg: #c00;
    --logo-text: white;

    --tocnav-normal-text: #707070;
    --tocnav-normal-bg: var(--bg);
    --tocnav-hover-text: var(--tocnav-normal-text);
    --tocnav-hover-bg: #f8f8f8;
    --tocnav-active-text: #c00;
    --tocnav-active-bg: var(--tocnav-normal-bg);

    --tocsidebar-text: var(--text);
    --tocsidebar-bg: #f7f8f9;
    --tocsidebar-shadow: rgba(0,0,0,.1);
    --tocsidebar-heading-text: hsla(203,20%,40%,.7);

    --toclink-text: var(--text);
    --toclink-underline: #3980b5;
    --toclink-visited-text: var(--toclink-text);
    --toclink-visited-underline: #054572;

    --heading-text: #005a9c;

    --hr-text: var(--text);

    --algo-border: #def;

    --del-text: red;
    --del-bg: transparent;
    --ins-text: #080;
    --ins-bg: transparent;

    --a-normal-text: #034575;
    --a-normal-underline: #707070;
    --a-visited-text: var(--a-normal-text);
    --a-visited-underline: #bbb;
    --a-hover-bg: rgba(75%, 75%, 75%, .25);
    --a-active-text: #c00;
    --a-active-underline: #c00;

    --blockquote-border: silver;
    --blockquote-bg: transparent;
    --blockquote-text: currentcolor;

    --issue-border: #e05252;
    --issue-bg: #fbe9e9;
    --issue-text: var(--text);
    --issueheading-text: #831616;

    --example-border: #e0cb52;
    --example-bg: #fcfaee;
    --example-text: var(--text);
    --exampleheading-text: #574b0f;

    --note-border: #52e052;
    --note-bg: #e9fbe9;
    --note-text: var(--text);
    --noteheading-text: hsl(120, 70%, 30%);
    --notesummary-underline: silver;

    --assertion-border: #aaa;
    --assertion-bg: #eee;
    --assertion-text: black;

    --advisement-border: orange;
    --advisement-bg: #fec;
    --advisement-text: var(--text);
    --advisementheading-text: #b35f00;

    --warning-border: red;
    --warning-bg: hsla(40,100%,50%,0.95);
    --warning-text: var(--text);

    --amendment-border: #330099;
    --amendment-bg: #F5F0FF;
    --amendment-text: var(--text);
    --amendmentheading-text: #220066;

    --def-border: #8ccbf2;
    --def-bg: #def;
    --def-text: var(--text);
    --defrow-border: #bbd7e9;

    --datacell-border: silver;

    --indexinfo-text: #707070;

    --indextable-hover-text: black;
    --indextable-hover-bg: #f7f8f9;

    --outdatedspec-bg: rgba(0, 0, 0, .5);
    --outdatedspec-text: black;
    --outdated-bg: maroon;
    --outdated-text: white;
    --outdated-shadow: red;

    --editedrec-bg: darkorange;
}</style>
<style>/* style-counters */

body {
    counter-reset: example figure issue;
}
.issue {
    counter-increment: issue;
}
.issue:not(.no-marker)::before {
    content: "Issue " counter(issue);
}

.example {
    counter-increment: example;
}
.example:not(.no-marker)::before {
    content: "Example " counter(example);
}
.invalid.example:not(.no-marker)::before,
.illegal.example:not(.no-marker)::before {
    content: "Invalid Example" counter(example);
}

figcaption {
    counter-increment: figure;
}
figcaption:not(.no-marker)::before {
    content: "Figure " counter(figure) " ";
}</style>
<style>/* style-dfn-panel */

:root {
    --dfnpanel-bg: #ddd;
    --dfnpanel-text: var(--text);
}
.dfn-panel {
    position: absolute;
    z-index: 35;
    height: auto;
    width: -webkit-fit-content;
    width: fit-content;
    max-width: 300px;
    max-height: 500px;
    overflow: auto;
    padding: 0.5em 0.75em;
    font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
    background: var(--dfnpanel-bg);
    color: var(--dfnpanel-text);
    border: outset 0.2em;
}
.dfn-panel:not(.on) { display: none; }
.dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
.dfn-panel > b { display: block; }
.dfn-panel a { color: var(--dfnpanel-text); }
.dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
.dfn-panel > b + b { margin-top: 0.25em; }
.dfn-panel ul { padding: 0; }
.dfn-panel li { list-style: inside; }
.dfn-panel.activated {
    display: inline-block;
    position: fixed;
    left: .5em;
    bottom: 2em;
    margin: 0 auto;
    max-width: calc(100vw - 1.5em - .4em - .5em);
    max-height: 30vh;
}

.dfn-paneled { cursor: pointer; }
</style>
<style>/* style-md-lists */

/* This is a weird hack for me not yet following the commonmark spec
   regarding paragraph and lists. */
[data-md] > :first-child {
    margin-top: 0;
}
[data-md] > :last-child {
    margin-bottom: 0;
}</style>
<style>/* style-selflinks */

:root {
    --selflink-text: white;
    --selflink-bg: gray;
    --selflink-hover-text: black;
}
.heading, .issue, .note, .example, li, dt {
    position: relative;
}
a.self-link {
    position: absolute;
    top: 0;
    left: calc(-1 * (3.5rem - 26px));
    width: calc(3.5rem - 26px);
    height: 2em;
    text-align: center;
    border: none;
    transition: opacity .2s;
    opacity: .5;
}
a.self-link:hover {
    opacity: 1;
}
.heading > a.self-link {
    font-size: 83%;
}
li > a.self-link {
    left: calc(-1 * (3.5rem - 26px) - 2em);
}
dfn > a.self-link {
    top: auto;
    left: auto;
    opacity: 0;
    width: 1.5em;
    height: 1.5em;
    background: var(--selflink-bg);
    color: var(--selflink-text);
    font-style: normal;
    transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
    opacity: 1;
}
dfn > a.self-link:hover {
    color: var(--selflink-hover-text);
}

a.self-link::before            { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before      { content: "#"; }
</style>
<style>/* style-syntax-highlighting */

            pre.idl.highlight {
                background: var(--borderedblock-bg, var(--def-bg));
            }
            
code.highlight { padding: .1em; border-radius: .3em; }
pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }

.highlight:not(.idl) { background: rgba(0, 0, 0, .03); }
c-[a] { color: #990055 } /* Keyword.Declaration */
c-[b] { color: #990055 } /* Keyword.Type */
c-[c] { color: #708090 } /* Comment */
c-[d] { color: #708090 } /* Comment.Multiline */
c-[e] { color: #0077aa } /* Name.Attribute */
c-[f] { color: #669900 } /* Name.Tag */
c-[g] { color: #222222 } /* Name.Variable */
c-[k] { color: #990055 } /* Keyword */
c-[l] { color: #000000 } /* Literal */
c-[m] { color: #000000 } /* Literal.Number */
c-[n] { color: #0077aa } /* Name */
c-[o] { color: #999999 } /* Operator */
c-[p] { color: #999999 } /* Punctuation */
c-[s] { color: #a67f59 } /* Literal.String */
c-[t] { color: #a67f59 } /* Literal.String.Single */
c-[u] { color: #a67f59 } /* Literal.String.Double */
c-[cp] { color: #708090 } /* Comment.Preproc */
c-[c1] { color: #708090 } /* Comment.Single */
c-[cs] { color: #708090 } /* Comment.Special */
c-[kc] { color: #990055 } /* Keyword.Constant */
c-[kn] { color: #990055 } /* Keyword.Namespace */
c-[kp] { color: #990055 } /* Keyword.Pseudo */
c-[kr] { color: #990055 } /* Keyword.Reserved */
c-[ld] { color: #000000 } /* Literal.Date */
c-[nc] { color: #0077aa } /* Name.Class */
c-[no] { color: #0077aa } /* Name.Constant */
c-[nd] { color: #0077aa } /* Name.Decorator */
c-[ni] { color: #0077aa } /* Name.Entity */
c-[ne] { color: #0077aa } /* Name.Exception */
c-[nf] { color: #0077aa } /* Name.Function */
c-[nl] { color: #0077aa } /* Name.Label */
c-[nn] { color: #0077aa } /* Name.Namespace */
c-[py] { color: #0077aa } /* Name.Property */
c-[ow] { color: #999999 } /* Operator.Word */
c-[mb] { color: #000000 } /* Literal.Number.Bin */
c-[mf] { color: #000000 } /* Literal.Number.Float */
c-[mh] { color: #000000 } /* Literal.Number.Hex */
c-[mi] { color: #000000 } /* Literal.Number.Integer */
c-[mo] { color: #000000 } /* Literal.Number.Oct */
c-[sb] { color: #a67f59 } /* Literal.String.Backtick */
c-[sc] { color: #a67f59 } /* Literal.String.Char */
c-[sd] { color: #a67f59 } /* Literal.String.Doc */
c-[se] { color: #a67f59 } /* Literal.String.Escape */
c-[sh] { color: #a67f59 } /* Literal.String.Heredoc */
c-[si] { color: #a67f59 } /* Literal.String.Interpol */
c-[sx] { color: #a67f59 } /* Literal.String.Other */
c-[sr] { color: #a67f59 } /* Literal.String.Regex */
c-[ss] { color: #a67f59 } /* Literal.String.Symbol */
c-[vc] { color: #0077aa } /* Name.Variable.Class */
c-[vg] { color: #0077aa } /* Name.Variable.Global */
c-[vi] { color: #0077aa } /* Name.Variable.Instance */
c-[il] { color: #000000 } /* Literal.Number.Integer.Long */
</style>
<style>/* style-darkmode */

@media (prefers-color-scheme: dark) {
    :root {
        --text: #ddd;
        --bg: black;

        --unofficial-watermark: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='400' height='400'%3E%3Cg fill='%23100808' transform='translate(200 200) rotate(-45) translate(-200 -200)' stroke='%23100808' stroke-width='3'%3E%3Ctext x='50%25' y='220' style='font: bold 70px sans-serif; text-anchor: middle; letter-spacing: 6px;'%3EUNOFFICIAL%3C/text%3E%3Ctext x='50%25' y='305' style='font: bold 70px sans-serif; text-anchor: middle; letter-spacing: 6px;'%3EDRAFT%3C/text%3E%3C/g%3E%3C/svg%3E");

        --logo-bg: #1a5e9a;
        --logo-active-bg: #c00;
        --logo-text: white;

        --tocnav-normal-text: #999;
        --tocnav-normal-bg: var(--bg);
        --tocnav-hover-text: var(--tocnav-normal-text);
        --tocnav-hover-bg: #080808;
        --tocnav-active-text: #f44;
        --tocnav-active-bg: var(--tocnav-normal-bg);

        --tocsidebar-text: var(--text);
        --tocsidebar-bg: #080808;
        --tocsidebar-shadow: rgba(255,255,255,.1);
        --tocsidebar-heading-text: hsla(203,20%,40%,.7);

        --toclink-text: var(--text);
        --toclink-underline: #6af;
        --toclink-visited-text: var(--toclink-text);
        --toclink-visited-underline: #054572;

        --heading-text: #8af;

        --hr-text: var(--text);

        --algo-border: #456;

        --del-text: #f44;
        --del-bg: transparent;
        --ins-text: #4a4;
        --ins-bg: transparent;

        --a-normal-text: #6af;
        --a-normal-underline: #555;
        --a-visited-text: var(--a-normal-text);
        --a-visited-underline: var(--a-normal-underline);
        --a-hover-bg: rgba(25%, 25%, 25%, .2);
        --a-active-text: #f44;
        --a-active-underline: var(--a-active-text);

        --borderedblock-bg: rgba(255, 255, 255, .05);

        --blockquote-border: silver;
        --blockquote-bg: var(--borderedblock-bg);
        --blockquote-text: currentcolor;

        --issue-border: #e05252;
        --issue-bg: var(--borderedblock-bg);
        --issue-text: var(--text);
        --issueheading-text: hsl(0deg, 70%, 70%);

        --example-border: hsl(50deg, 90%, 60%);
        --example-bg: var(--borderedblock-bg);
        --example-text: var(--text);
        --exampleheading-text: hsl(50deg, 70%, 70%);

        --note-border: hsl(120deg, 100%, 35%);
        --note-bg: var(--borderedblock-bg);
        --note-text: var(--text);
        --noteheading-text: hsl(120, 70%, 70%);
        --notesummary-underline: silver;

        --assertion-border: #444;
        --assertion-bg: var(--borderedblock-bg);
        --assertion-text: var(--text);

        --advisement-border: orange;
        --advisement-bg: #222218;
        --advisement-text: var(--text);
        --advisementheading-text: #f84;

        --warning-border: red;
        --warning-bg: hsla(40,100%,20%,0.95);
        --warning-text: var(--text);

        --amendment-border: #330099;
        --amendment-bg: #080010;
        --amendment-text: var(--text);
        --amendmentheading-text: #cc00ff;

        --def-border: #8ccbf2;
        --def-bg: #080818;
        --def-text: var(--text);
        --defrow-border: #136;

        --datacell-border: silver;

        --indexinfo-text: #aaa;

        --indextable-hover-text: var(--text);
        --indextable-hover-bg: #181818;

        --outdatedspec-bg: rgba(255, 255, 255, .5);
        --outdatedspec-text: black;
        --outdated-bg: maroon;
        --outdated-text: white;
        --outdated-shadow: red;

        --editedrec-bg: darkorange;
    }
    /* In case a transparent-bg image doesn't expect to be on a dark bg,
       which is quite common in practice... */
    img { background: white; }
}
@media (prefers-color-scheme: dark) {
    :root {
        --selflink-text: black;
        --selflink-bg: silver;
        --selflink-hover-text: white;
    }
}

@media (prefers-color-scheme: dark) {
    :root {
        --dfnpanel-bg: #222;
        --dfnpanel-text: var(--text);
    }
}
@media (prefers-color-scheme: dark) {
    .highlight:not(.idl) { background: rgba(255, 255, 255, .05); }

    c-[a] { color: #d33682 } /* Keyword.Declaration */
    c-[b] { color: #d33682 } /* Keyword.Type */
    c-[c] { color: #2aa198 } /* Comment */
    c-[d] { color: #2aa198 } /* Comment.Multiline */
    c-[e] { color: #268bd2 } /* Name.Attribute */
    c-[f] { color: #b58900 } /* Name.Tag */
    c-[g] { color: #cb4b16 } /* Name.Variable */
    c-[k] { color: #d33682 } /* Keyword */
    c-[l] { color: #657b83 } /* Literal */
    c-[m] { color: #657b83 } /* Literal.Number */
    c-[n] { color: #268bd2 } /* Name */
    c-[o] { color: #657b83 } /* Operator */
    c-[p] { color: #657b83 } /* Punctuation */
    c-[s] { color: #6c71c4 } /* Literal.String */
    c-[t] { color: #6c71c4 } /* Literal.String.Single */
    c-[u] { color: #6c71c4 } /* Literal.String.Double */
    c-[ch] { color: #2aa198 } /* Comment.Hashbang */
    c-[cp] { color: #2aa198 } /* Comment.Preproc */
    c-[cpf] { color: #2aa198 } /* Comment.PreprocFile */
    c-[c1] { color: #2aa198 } /* Comment.Single */
    c-[cs] { color: #2aa198 } /* Comment.Special */
    c-[kc] { color: #d33682 } /* Keyword.Constant */
    c-[kn] { color: #d33682 } /* Keyword.Namespace */
    c-[kp] { color: #d33682 } /* Keyword.Pseudo */
    c-[kr] { color: #d33682 } /* Keyword.Reserved */
    c-[ld] { color: #657b83 } /* Literal.Date */
    c-[nc] { color: #268bd2 } /* Name.Class */
    c-[no] { color: #268bd2 } /* Name.Constant */
    c-[nd] { color: #268bd2 } /* Name.Decorator */
    c-[ni] { color: #268bd2 } /* Name.Entity */
    c-[ne] { color: #268bd2 } /* Name.Exception */
    c-[nf] { color: #268bd2 } /* Name.Function */
    c-[nl] { color: #268bd2 } /* Name.Label */
    c-[nn] { color: #268bd2 } /* Name.Namespace */
    c-[py] { color: #268bd2 } /* Name.Property */
    c-[ow] { color: #657b83 } /* Operator.Word */
    c-[mb] { color: #657b83 } /* Literal.Number.Bin */
    c-[mf] { color: #657b83 } /* Literal.Number.Float */
    c-[mh] { color: #657b83 } /* Literal.Number.Hex */
    c-[mi] { color: #657b83 } /* Literal.Number.Integer */
    c-[mo] { color: #657b83 } /* Literal.Number.Oct */
    c-[sa] { color: #6c71c4 } /* Literal.String.Affix */
    c-[sb] { color: #6c71c4 } /* Literal.String.Backtick */
    c-[sc] { color: #6c71c4 } /* Literal.String.Char */
    c-[dl] { color: #6c71c4 } /* Literal.String.Delimiter */
    c-[sd] { color: #6c71c4 } /* Literal.String.Doc */
    c-[se] { color: #6c71c4 } /* Literal.String.Escape */
    c-[sh] { color: #6c71c4 } /* Literal.String.Heredoc */
    c-[si] { color: #6c71c4 } /* Literal.String.Interpol */
    c-[sx] { color: #6c71c4 } /* Literal.String.Other */
    c-[sr] { color: #6c71c4 } /* Literal.String.Regex */
    c-[ss] { color: #6c71c4 } /* Literal.String.Symbol */
    c-[fm] { color: #268bd2 } /* Name.Function.Magic */
    c-[vc] { color: #cb4b16 } /* Name.Variable.Class */
    c-[vg] { color: #cb4b16 } /* Name.Variable.Global */
    c-[vi] { color: #cb4b16 } /* Name.Variable.Instance */
    c-[vm] { color: #cb4b16 } /* Name.Variable.Magic */
    c-[il] { color: #657b83 } /* Literal.Number.Integer.Long */
}
</style>
 <body class="h-entry">
  <div class="head">
   <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
   <h1 class="p-name no-ref" id="title">WebOTP API</h1>
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Draft Community Group Report, <time class="dt-updated" datetime="2021-04-13">13 April 2021</time></span></h2>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="http://wicg.github.io/WebOTP">http://wicg.github.io/WebOTP</a>
     <dt>Test Suite:
     <dd><a href="https://github.com/web-platform-tests/wpt/tree/master/sms">https://github.com/web-platform-tests/wpt/tree/master/sms</a>
     <dt>Issue Tracking:
     <dd><a href="https://github.com/WICG/WebOTP/issues/">GitHub</a>
     <dt class="editor">Editor:
     <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:goto@google.com">Sam Goto</a> (<a class="p-org org" href="https://google.com">Google Inc.</a>)
    </dl>
   </div>
   <div data-fill-with="warning"></div>
   <p class="copyright" data-fill-with="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2021 the Contributors to the WebOTP API Specification, published by the <a href="https://www.w3.org/community/wicg/">Web Platform Incubator Community Group</a> under the <a href="https://www.w3.org/community/about/agreements/cla/">W3C Community Contributor License Agreement (CLA)</a>.
A human-readable <a href="http://www.w3.org/community/about/agreements/cla-deed/">summary</a> is available. </p>
   <hr title="Separator for header">
  </div>
  <div class="p-summary" data-fill-with="abstract">
   <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
   <p>A Javascript API to request one time passwords for verifying credentials (e.g. phone numbers, emails).</p>
  </div>
  <div data-fill-with="at-risk"></div>
  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
  <div data-fill-with="status">
   <p> This specification was published by the <a href="https://www.w3.org/community/wicg/">Web Platform Incubator Community Group</a>.
  It is not a W3C Standard nor is it on the W3C Standards Track.

  Please note that under the <a href="https://www.w3.org/community/about/agreements/cla/">W3C Community Contributor License Agreement (CLA)</a> there is a limited opt-out and other conditions apply.

  Learn more about <a href="http://www.w3.org/community/">W3C Community and Business Groups</a>. </p>
   <p></p>
  </div>
  <div data-fill-with="at-risk"></div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li>
     <a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
     <ol class="toc">
      <li><a href="#intro-client"><span class="secno">1.1</span> <span class="content">The client side API</span></a>
      <li><a href="#intro-server"><span class="secno">1.2</span> <span class="content">The server side API</span></a>
      <li><a href="#intro-feature-detection"><span class="secno">1.3</span> <span class="content">Feature Detection</span></a>
      <li><a href="#intro-wc"><span class="secno">1.4</span> <span class="content">Web Components</span></a>
      <li><a href="#intro-abort"><span class="secno">1.5</span> <span class="content">Abort API</span></a>
     </ol>
    <li>
     <a href="#API"><span class="secno">2</span> <span class="content">Client Side API</span></a>
     <ol class="toc">
      <li>
       <a href="#OTPCredential"><span class="secno">2.1</span> <span class="content">The OTPCredential Interface</span></a>
       <ol class="toc">
        <li><a href="#sctn-discover-from-external-source"><span class="secno">2.1.1</span> <span class="content">The <code><span><code>[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</code></span></code> Method</span></a>
       </ol>
      <li><a href="#CredentialRequestOptions"><span class="secno">2.2</span> <span class="content"><code>CredentialRequestOptions</code></span></a>
      <li><a href="#OTPCredentialRequestOptions"><span class="secno">2.3</span> <span class="content"><code>OTPCredentialRequestOptions</code></span></a>
      <li><a href="#enum-transport"><span class="secno">2.4</span> <span class="content"><code>OTPCredentialTransportType</code></span></a>
      <li><a href="#sctn-permissions-policy"><span class="secno">2.5</span> <span class="content">Permissions Policy integration</span></a>
      <li><a href="#sctn-iframe-guidance"><span class="secno">2.6</span> <span class="content">Using WebOTP within <code>iframe</code> elements</span></a>
     </ol>
    <li>
     <a href="#transports"><span class="secno">3</span> <span class="content">Transports</span></a>
     <ol class="toc">
      <li><a href="#transports-sms"><span class="secno">3.1</span> <span class="content">SMS</span></a>
     </ol>
    <li>
     <a href="#security"><span class="secno">4</span> <span class="content">Security</span></a>
     <ol class="toc">
      <li><a href="#security-availability"><span class="secno">4.1</span> <span class="content">Availability</span></a>
      <li><a href="#security-addressing"><span class="secno">4.2</span> <span class="content">Addressing</span></a>
      <li><a href="#security-tampering"><span class="secno">4.3</span> <span class="content">Tampering</span></a>
      <li><a href="#sctn-seccons-visibility"><span class="secno">4.4</span> <span class="content">Visibility Considerations for Embedded Usage</span></a>
     </ol>
    <li><a href="#privacy"><span class="secno">5</span> <span class="content">Privacy</span></a>
    <li><a href="#acknowledgements"><span class="secno">6</span> <span class="content">Acknowledgements</span></a>
    <li>
     <a href="#w3c-conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
     <ol class="toc">
      <li><a href="#w3c-conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
      <li><a href="#w3c-conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
     </ol>
    <li>
     <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ol class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ol>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
    <li><a href="#idl-index"><span class="secno"></span> <span class="content">IDL Index</span></a>
   </ol>
  </nav>
  <main>
   <p><img alt="logo" src="logo-otp.svg" style="height: 100px; width: 100px; position: absolute; right: 20px; top: 30px;"></p>
   <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>
   <p><em>This section is non-normative.</em></p>
   <p>Many web sites need to verify credentials (e.g. phone numbers and
email addresses) as part of their authentication flows. They currently
rely on sending one-time-passwords (OTP) to these communication channels to
be used as proof of ownership. The one-time-password is manually
handed back by the user (typically by copying/pasting) to the web app
which is onerous and erroneous.</p>
   <p>This a proposal for a client side javascript API that enables web
sites to request OTPs and a set of transport-specific conventions (we
start with SMS while leaving the door open to others) that can be used
in coordination with browsers.</p>
   <h3 class="heading settled" data-level="1.1" id="intro-client"><span class="secno">1.1. </span><span class="content">The client side API</span><a class="self-link" href="#intro-client"></a></h3>
   <p>In this proposal, websites have the ability to call a browser API to
request OTPs coming from specific transports (e.g. via SMS).</p>
   <p>The browser intermediates the receipt of the SMS and the handing off
to the calling website (typically asking for the user’s consent), so
the API returns a promise asynchronously.</p>
   <div class="example" id="example-ca9b1fd1">
    <a class="self-link" href="#example-ca9b1fd1"></a> 
<pre class="language-js highlight"><c- a>let</c-> <c- p>{</c->code<c- p>,</c-> type<c- p>}</c-> <c- o>=</c-> <c- k>await</c-> navigator<c- p>.</c->credentials<c- p>.</c->get<c- p>({</c->
  otp<c- o>:</c-> <c- p>{</c->
    transport<c- o>:</c-> <c- p>[</c-><c- u>"sms"</c-><c- p>]</c->
  <c- p>}</c->
<c- p>});</c->
</pre>
   </div>
   <h3 class="heading settled" data-level="1.2" id="intro-server"><span class="secno">1.2. </span><span class="content">The server side API</span><a class="self-link" href="#intro-server"></a></h3>
   <p>Once the client side API is called, the website’s server can send
OTPs to the client via the requested transport mechanisms. For each
of these transport mechanism, a server side convention is set in
place to guarantee that the OTP is delivered safely and
programatically.</p>
   <p>For SMS, for example, servers should send <a data-link-type="dfn" href="https://wicg.github.io/sms-one-time-codes/#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message">origin-bound one-time code messages</a> to clients. <a data-link-type="biblio" href="#biblio-sms-one-time-codes">[sms-one-time-codes]</a></p>
   <div class="example" id="example-64d8fead">
    <a class="self-link" href="#example-64d8fead"></a> 
    <p>In the following <a data-link-type="dfn" href="https://wicg.github.io/sms-one-time-codes/#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message①">origin-bound one-time code message</a>, the host is <code>"example.com"</code>, the code is <code>"123456"</code>, and the explanatory text is <code>"Your authentication code is 123456.\n"</code>.</p>
<pre>"Your authentication code is 123456.

@example.com #123456"
</pre>
   </div>
   <h3 class="heading settled" data-level="1.3" id="intro-feature-detection"><span class="secno">1.3. </span><span class="content">Feature Detection</span><a class="self-link" href="#intro-feature-detection"></a></h3>
   <p>Not all user agents necessarily need to implement the WebOTP API at
the exact same moment in time, so websites need a mechanism to detect
if the API is available.</p>
   <p>Websites can check for the presence of the OTPCredential global
interface:</p>
   <div class="example" id="example-41ef25d5">
    <a class="self-link" href="#example-41ef25d5"></a> 
<pre class="language-js highlight"><c- k>if</c-> <c- p>(</c-><c- o>!</c->window<c- p>.</c->OTPCredential<c- p>)</c-> <c- p>{</c->
  <c- c1>// feature not available</c->
  <c- k>return</c-><c- p>;</c->
<c- p>}</c->
</pre>
   </div>
   <h3 class="heading settled" data-level="1.4" id="intro-wc"><span class="secno">1.4. </span><span class="content">Web Components</span><a class="self-link" href="#intro-wc"></a></h3>
   <p>For the most part, OTP verification largely relies on:</p>
   <ul>
    <li data-md>
     <p>input, forms and copy/paste, on the client side and</p>
    <li data-md>
     <p>third party frameworks to send SMS, on the server side.</p>
   </ul>
   <p>We expect some of these frameworks to develop declarative versions of
this API to facilitate the deployment of their customer’s existing
code.</p>
   <div class="example" id="example-6cbc72d5">
    <a class="self-link" href="#example-6cbc72d5"></a> Web Component Polyfills 
<pre class="language-html highlight"><c- p>&lt;</c-><c- f>script</c-> <c- e>src</c-><c- o>=</c-><c- s>"sms-sdk.js"</c-><c- p>>&lt;/</c-><c- f>script</c-><c- p>></c->

<c- p>&lt;</c-><c- f>form</c-><c- p>></c->
  <c- p>&lt;</c-><c- f>input</c-> <c- e>is</c-><c- o>=</c-><c- s>"one-time-code"</c-> <c- e>required</c-> <c- p>/></c->
  <c- p>&lt;</c-><c- f>input</c-> <c- e>type</c-><c- o>=</c-><c- s>"submit"</c-> <c- p>/></c->
<c- p>&lt;/</c-><c- f>form</c-><c- p>></c->
</pre>
   </div>
   <p>And here is an example of how a framework could implement it
using web components:</p>
   <div class="example" id="example-b58563d9">
    <a class="self-link" href="#example-b58563d9"></a> Web Component Polyfills 
<pre class="language-js highlight">customElements<c- p>.</c->define<c- p>(</c-><c- u>"one-time-code"</c-><c- p>,</c->
  <c- a>class</c-> <c- k>extends</c-> HTMLInputElement <c- p>{</c->
    connectedCallback<c- p>()</c-> <c- p>{</c->
      <c- k>this</c-><c- p>.</c->receive<c- p>();</c->
    <c- p>}</c->
    <c- k>async</c-> receive<c- p>()</c-> <c- p>{</c->
      <c- a>let</c-> <c- p>{</c->code<c- p>,</c-> type<c- p>}</c-> <c- o>=</c-> <c- k>await</c-> navigator<c- p>.</c->credentials<c- p>.</c->get<c- p>({</c->
        otp<c- o>:</c-> <c- p>{</c->
         transport<c- o>:</c-> <c- p>[</c-><c- u>"sms"</c-><c- p>]</c->
        <c- p>}</c->
      <c- p>});</c->
      <c- k>this</c-><c- p>.</c->value <c- o>=</c-> otp<c- p>;</c->
      <c- k>this</c-><c- p>.</c->form<c- p>.</c->submit<c- p>();</c->
    <c- p>}</c->
  <c- p>},</c-> <c- p>{</c->
    <c- k>extends</c-><c- o>:</c-> <c- u>"input"</c->
<c- p>});</c->
</pre>
   </div>
   <h3 class="heading settled" data-level="1.5" id="intro-abort"><span class="secno">1.5. </span><span class="content">Abort API</span><a class="self-link" href="#intro-abort"></a></h3>
   <p>Many modern websites handle navigations on the client side. So, if a
user navigates away from an OTP flow to another flow, the request
needs to be cancelled so that the user isn’t bothered with a
permission prompt that isn’t relevant anymore.</p>
   <p>To facilitate that, an abort controller can be passed to abort the
request:</p>
   <div class="example" id="example-fc08bd4b">
    <a class="self-link" href="#example-fc08bd4b"></a> 
<pre class="language-js highlight"><c- a>const</c-> abort <c- o>=</c-> <c- k>new</c-> AbortController<c- p>();</c->

setTimeout<c- p>(()</c-> <c- p>=></c-> <c- p>{</c->
  <c- c1>// abort after two minutes</c->
  abort<c- p>.</c->abort<c- p>();</c->
<c- p>},</c-> <c- mf>2</c-> <c- o>*</c-> <c- mf>60</c-> <c- o>*</c-> <c- mf>1000</c-><c- p>);</c->
  
<c- a>let</c-> <c- p>{</c->code<c- p>,</c-> type<c- p>}</c-> <c- o>=</c-> <c- k>await</c-> navigator<c- p>.</c->credentials<c- p>.</c->get<c- p>({</c->
  signal<c- o>:</c-> abort<c- p>.</c->signal<c- p>,</c->
  otp<c- o>:</c-> <c- p>{</c->
    transport<c- o>:</c-> <c- p>[</c-><c- u>"sms"</c-><c- p>]</c->
  <c- p>}</c->
<c- p>});</c->
</pre>
   </div>
   <h2 class="heading settled" data-level="2" id="API"><span class="secno">2. </span><span class="content">Client Side API</span><a class="self-link" href="#API"></a></h2>
   <p>Websites call <code><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get">navigator.credentials.get({otp:..., ...})</a></code> to retrieve an OTP.</p>
   <p>The algorithm of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get①">navigator.credentials.get()</a></code> looks through all of the interfaces that inherit from <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential">Credential</a></code> in the <a data-link-type="abstract-op" href="https://w3c.github.io/webappsec-credential-management/#abstract-opdef-request-a-credential" id="ref-for-abstract-opdef-request-a-credential">Request a <code>Credential</code></a> abstract operation.</p>
   <p>In that operation, it finds <code class="idl"><a data-link-type="idl" href="#otpcredential" id="ref-for-otpcredential">OTPCredential</a></code> which inherits from <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential①">Credential</a></code>. It calls <code>OTPCredential.<code class="idl"><a data-link-type="idl">[[CollectFromCredentialStore]]()</a></code></code> to collect any <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#credentials" id="ref-for-credentials">credentials</a> that
should be available without <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#user-mediated" id="ref-for-user-mediated">user mediation</a>, and if it does not find
exactly one of those, it then calls <code>OTPCredential.<code class="idl"><a data-link-type="idl" href="#dom-otpcredential-discoverfromexternalsource-slot" id="ref-for-dom-otpcredential-discoverfromexternalsource-slot">[[DiscoverFromExternalSource]]()</a></code></code> to have
the user select a credential source and fulfill the request.</p>
   <p>Since this specification requires an <a data-link-type="dfn">authorization gesture</a> to create OTP <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#credentials" id="ref-for-credentials①">credentials</a>, the <code>OTPCredential.<code class="idl"><a data-link-type="idl">[[CollectFromCredentialStore]]()</a></code></code> <a data-link-type="dfn">internal method</a> inherits the default behavior of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#collectfromcredentialstore-origin-options-sameoriginwithancestors" id="ref-for-collectfromcredentialstore-origin-options-sameoriginwithancestors">Credential.[[CollectFromCredentialStore]]()</a></code>, of returning an empty set.</p>
   <p>It is then the responsibility of <code>OTPCredential.<code class="idl"><a data-link-type="idl" href="#dom-otpcredential-discoverfromexternalsource-slot" id="ref-for-dom-otpcredential-discoverfromexternalsource-slot①">[[DiscoverFromExternalSource]]()</a></code></code> to provide an OTP.</p>
   <h3 class="heading settled" data-level="2.1" id="OTPCredential"><span class="secno">2.1. </span><span class="content">The OTPCredential Interface</span><a class="self-link" href="#OTPCredential"></a></h3>
   <p>The <code class="idl"><a data-link-type="idl" href="#otpcredential" id="ref-for-otpcredential①">OTPCredential</a></code> interface extends <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential②">Credential</a></code> and contains
the attributes that are returned to the caller when a new one time
password is retrieved.</p>
   <p><code class="idl"><a data-link-type="idl" href="#otpcredential" id="ref-for-otpcredential②">OTPCredential</a></code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object" id="ref-for-dfn-interface-object">interface object</a> inherits <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential③">Credential</a></code>'s implementation of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#collectfromcredentialstore-origin-options-sameoriginwithancestors" id="ref-for-collectfromcredentialstore-origin-options-sameoriginwithancestors①">[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)</a></code>, and defines its own
implementation of <code class="idl"><a data-link-type="idl" href="#dom-otpcredential-discoverfromexternalsource-slot" id="ref-for-dom-otpcredential-discoverfromexternalsource-slot②">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code>.</p>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed" id="ref-for-Exposed"><c- g>Exposed</c-></a>=<c- n>Window</c->, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext" id="ref-for-SecureContext"><c- g>SecureContext</c-></a>]
<c- b>interface</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export id="otpcredential"><code><c- g>OTPCredential</c-></code></dfn> : <a data-link-type="idl-name" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential④"><c- n>Credential</c-></a> {
    <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString"><c- b>DOMString</c-></a> <a class="idl-code" data-link-type="attribute" data-readonly data-type="DOMString" href="#dom-otpcredential-code" id="ref-for-dom-otpcredential-code"><c- g>code</c-></a>;
};
</pre>
   <dl>
    <dt data-md><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id" id="ref-for-dom-credential-id">id</a></code>
    <dd data-md>
     <p>This attribute is inherited from <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential" id="ref-for-credential⑤">Credential</a></code></p>
    <dt data-md><dfn class="idl-code" data-dfn-for="OTPCredential" data-dfn-type="attribute" data-export id="dom-otpcredential-type-slot"><code>[[type]]</code><a class="self-link" href="#dom-otpcredential-type-slot"></a></dfn>
    <dd data-md>
     <p>The <code class="idl"><a data-link-type="idl" href="#otpcredential" id="ref-for-otpcredential③">OTPCredential</a></code> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object" id="ref-for-dfn-interface-object①">interface object</a>'s <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type-slot" id="ref-for-dom-credential-type-slot">[[type]]</a></code> <a data-link-type="dfn">internal slot</a>'s value is the string
"<code>otp</code>".</p>
    <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="OTPCredential" data-dfn-type="attribute" data-export id="dom-otpcredential-code"><code class="idl"><a data-link-type="idl" href="#dom-otpcredential-code" id="ref-for-dom-otpcredential-code①">code</a></code></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①">DOMString</a>, readonly</span>
    <dd data-md>
     <p>The retrieved one time password.</p>
   </dl>
   <h4 class="heading settled" data-level="2.1.1" id="sctn-discover-from-external-source"><span class="secno">2.1.1. </span><span class="content">The <code><dfn class="dfn-paneled idl-code" data-dfn-for="OTPCredential" data-dfn-type="method" data-export id="dom-otpcredential-discoverfromexternalsource-slot"><code>[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</code></dfn></code> Method</span><a class="self-link" href="#sctn-discover-from-external-source"></a></h4>
   <p>This method is called every time <code><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get②">navigator.credentials.get({otp:..., ...})</a></code> and is responsible for returning an OTP when one is requested (i.e. when <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-otp" id="ref-for-dom-credentialrequestoptions-otp">otp</a></code></code> is passed).</p>
   <p>This <a data-link-type="dfn">internal method</a> accepts three arguments:</p>
   <dl>
    <dt data-md><dfn class="idl-code" data-dfn-for="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin"><code>origin</code><a class="self-link" href="#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin"></a></dfn>
    <dd data-md>
     <p>This argument is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object">relevant settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin">origin</a>, as determined by the
calling <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get③">get()</a></code> implementation, i.e., <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer" id="ref-for-credentialscontainer">CredentialsContainer</a></code>'s <a data-link-type="abstract-op" href="https://w3c.github.io/webappsec-credential-management/#abstract-opdef-request-a-credential" id="ref-for-abstract-opdef-request-a-credential①">Request a <code>Credential</code></a> abstract operation.</p>
    <dt data-md><dfn class="idl-code" data-dfn-for="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-options"><code>options</code><a class="self-link" href="#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-options"></a></dfn>
    <dd data-md>
     <p>This argument is a <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions">CredentialRequestOptions</a></code> object whose <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-otp" id="ref-for-dom-credentialrequestoptions-otp①">otp</a></code></code> member contains a <code class="idl"><a data-link-type="idl" href="#dictdef-otpcredentialrequestoptions" id="ref-for-dictdef-otpcredentialrequestoptions">OTPCredentialRequestOptions</a></code> object specifying the desired attributes of the OTP to retrieve.</p>
    <dt data-md><dfn class="idl-code" data-dfn-for="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)" data-dfn-type="argument" data-export id="dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-sameoriginwithancestors"><code>sameOriginWithAncestors</code><a class="self-link" href="#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-sameoriginwithancestors"></a></dfn>
    <dd data-md>
     <p>This argument is a Boolean value which is <code>true</code> if and only if the caller’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object" id="ref-for-environment-settings-object">environment settings object</a> is <a data-link-type="dfn" href="https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors" id="ref-for-same-origin-with-its-ancestors">same-origin with its ancestors</a>. It is <code>false</code> if caller is cross-origin.</p>
     <p class="note" role="note"><span>Note:</span> Invocation of this <a data-link-type="dfn">internal method</a> indicates that it was allowed by <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy" id="ref-for-concept-document-permissions-policy">permissions policy</a>, which is evaluated at the <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a> level.
See <a href="#sctn-permissions-policy">§ 2.5 Permissions Policy integration</a>.</p>
   </dl>
   <p class="note" role="note"><span>Note:</span> <strong>This algorithm is synchronous:</strong> the <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-promise" id="ref-for-idl-promise">Promise</a></code> resolution/rejection is handled by <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get④">navigator.credentials.get()</a></code>.</p>
   <p>When this method is invoked, the user agent MUST execute the following algorithm:</p>
   <ol>
    <li data-md>
     <p class="assertion">Assert: <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-otp" id="ref-for-dom-credentialrequestoptions-otp②">otp</a></code></code> is <a data-link-type="dfn">present</a>.</p>
    <li data-md>
     <p>Let <var>options</var> be the value of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-otp" id="ref-for-dom-credentialrequestoptions-otp③">otp</a></code></code>.</p>
    <li data-md>
     <p>Let <var>callerOrigin</var> be <code class="idl"><a data-link-type="idl">origin</a></code>.
If <var>callerOrigin</var> is an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque" id="ref-for-concept-origin-opaque">opaque origin</a>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror" id="ref-for-notallowederror">NotAllowedError</a></code>", and terminate this algorithm.</p>
    <li data-md>
     <p>Let <var>effectiveDomain</var> be the <var>callerOrigin</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain">effective domain</a>.
If <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain①">effective domain</a> is not a <a data-link-type="dfn">valid domain</a>, then return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException①">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror" id="ref-for-securityerror">SecurityError</a></code>" and terminate this algorithm.</p>
     <p class="note" role="note"><span>Note:</span> An <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain" id="ref-for-concept-origin-effective-domain②">effective domain</a> may resolve to a <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-documentfragment-host" id="ref-for-concept-documentfragment-host">host</a>, which can be represented in various manners,
    such as <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-domain" id="ref-for-concept-origin-domain">domain</a>, <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-ipv4" id="ref-for-concept-ipv4">ipv4 address</a>, <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-ipv6" id="ref-for-concept-ipv6">ipv6 address</a>, <a data-link-type="dfn" href="https://url.spec.whatwg.org/#opaque-host" id="ref-for-opaque-host">opaque host</a>, or <a data-link-type="dfn" href="https://url.spec.whatwg.org/#empty-host" id="ref-for-empty-host">empty host</a>.
    Only the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-domain" id="ref-for-concept-origin-domain①">domain</a> format of <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-documentfragment-host" id="ref-for-concept-documentfragment-host①">host</a> is allowed here. This is for simplification and also is
    in recognition of various issues with using direct IP address identification in concert with
    PKI-based security.</p>
    <li data-md>
     <p>If the <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialrequestoptions-signal" id="ref-for-dom-credentialrequestoptions-signal">signal</a></code></code> is <a data-link-type="dfn">present</a> and its <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#abortsignal-aborted-flag" id="ref-for-abortsignal-aborted-flag">aborted flag</a> is set to <code>true</code>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException" id="ref-for-idl-DOMException②">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#aborterror" id="ref-for-aborterror">AbortError</a></code>"
and terminate this algorithm.</p>
    <li data-md>
     <p>TODO(goto): figure out how to connect the dots here with the transport algorithms.</p>
   </ol>
   <p>During the above process, the user agent SHOULD show some UI to the user to guide them in the process of sharing the OTP with the origin.</p>
   <h3 class="heading settled" data-level="2.2" id="CredentialRequestOptions"><span class="secno">2.2. </span><span class="content"><code>CredentialRequestOptions</code></span><a class="self-link" href="#CredentialRequestOptions"></a></h3>
   <p>To support obtaining OTPs via <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get⑤">navigator.credentials.get()</a></code>,
this document extends the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions①">CredentialRequestOptions</a></code> dictionary as follows:</p>
<pre class="idl highlight def"><c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions②"><c- g>CredentialRequestOptions</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-otpcredentialrequestoptions" id="ref-for-dictdef-otpcredentialrequestoptions①"><c- n>OTPCredentialRequestOptions</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="OTPCredentialRequestOptions " href="#dom-credentialrequestoptions-otp" id="ref-for-dom-credentialrequestoptions-otp④"><c- g>otp</c-></a>;
};
</pre>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="CredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-credentialrequestoptions-otp"><code>otp</code></dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-otpcredentialrequestoptions" id="ref-for-dictdef-otpcredentialrequestoptions②">OTPCredentialRequestOptions</a></span>
     <dd data-md>
      <p>This OPTIONAL member is used to make WebOTP requests.</p>
    </dl>
   </div>
   <h3 class="heading settled" data-level="2.3" id="OTPCredentialRequestOptions"><span class="secno">2.3. </span><span class="content"><code>OTPCredentialRequestOptions</code></span><a class="self-link" href="#OTPCredentialRequestOptions"></a></h3>
   <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-otpcredentialrequestoptions" id="ref-for-dictdef-otpcredentialrequestoptions③">OTPCredentialRequestOptions</a></code> dictionary supplies <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get⑥">navigator.credentials.get()</a></code> with the data it needs to retrieve an
OTP.</p>
<pre class="idl highlight def"><c- b>dictionary</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export id="dictdef-otpcredentialrequestoptions"><code><c- g>OTPCredentialRequestOptions</c-></code></dfn> {
  <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence" id="ref-for-idl-sequence"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#enumdef-otpcredentialtransporttype" id="ref-for-enumdef-otpcredentialtransporttype"><c- n>OTPCredentialTransportType</c-></a>> <a class="idl-code" data-default="[]" data-link-type="dict-member" data-type="sequence<OTPCredentialTransportType> " href="#dom-otpcredentialrequestoptions-transport" id="ref-for-dom-otpcredentialrequestoptions-transport"><c- g>transport</c-></a> = [];
};
</pre>
   <div>
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="OTPCredentialRequestOptions" data-dfn-type="dict-member" data-export id="dom-otpcredentialrequestoptions-transport"><code>transport</code></dfn>, <span> of type sequence&lt;<a data-link-type="idl-name" href="#enumdef-otpcredentialtransporttype" id="ref-for-enumdef-otpcredentialtransporttype①">OTPCredentialTransportType</a>>, defaulting to <code>[]</code></span>
     <dd data-md>
      <p>This OPTIONAL member contains a hint as to how the <a data-link-type="dfn">server</a> might receive the OTP.
The values SHOULD be members of <code class="idl"><a data-link-type="idl" href="#enumdef-otpcredentialtransporttype" id="ref-for-enumdef-otpcredentialtransporttype②">OTPCredentialTransportType</a></code> but <a data-link-type="dfn">client platforms</a> MUST ignore unknown values.</p>
    </dl>
   </div>
   <h3 class="heading settled" data-level="2.4" id="enum-transport"><span class="secno">2.4. </span><span class="content"><code>OTPCredentialTransportType</code></span><a class="self-link" href="#enum-transport"></a></h3>
<pre class="idl highlight def"><c- b>enum</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export id="enumdef-otpcredentialtransporttype"><code><c- g>OTPCredentialTransportType</c-></code></dfn> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-otpcredentialtransporttype-sms" id="ref-for-dom-otpcredentialtransporttype-sms"><c- s>"sms"</c-></a>,
};
</pre>
   <div>
     User Agents may implement various transport mechanisms to allow
    the retrieval of OTPs. This enumeration defines hints as to how
    user agents may communicate with the transport mechanisms. 
    <dl>
     <dt data-md><dfn class="dfn-paneled idl-code" data-dfn-for="OTPCredentialTransportType" data-dfn-type="enum-value" data-export data-lt="&quot;sms&quot;|sms" id="dom-otpcredentialtransporttype-sms"><code>sms</code></dfn>
     <dd data-md>
      <p>Indicates that the OTP is expected to arrive via SMS.</p>
    </dl>
   </div>
   <h3 class="heading settled" data-level="2.5" id="sctn-permissions-policy"><span class="secno">2.5. </span><span class="content">Permissions Policy integration</span><a class="self-link" href="#sctn-permissions-policy"></a></h3>
   <p>This specification defines one <a data-link-type="dfn" href="https://w3c.github.io/webappsec-permissions-policy/#policy-controlled-feature" id="ref-for-policy-controlled-feature">policy-controlled feature</a> identified by
the feature-identifier token "<code><dfn class="dfn-paneled" data-dfn-type="dfn" data-export data-lt="otp-credentials-feature" id="otp-credentials-feature">otp-credentials</dfn></code>".
Its <a data-link-type="dfn" href="https://w3c.github.io/webappsec-permissions-policy/#default-allowlist" id="ref-for-default-allowlist">default allowlist</a> is '<code>self</code>'. <a data-link-type="biblio" href="#biblio-permissions-policy">[Permissions-Policy]</a></p>
   <p>A <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document">Document</a></code>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy" id="ref-for-concept-document-permissions-policy①">permissions policy</a> determines whether any content in that <a href="https://html.spec.whatwg.org/multipage/dom.html#documents">document</a> is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use" id="ref-for-allowed-to-use">allowed to successfully invoke</a> the <a data-link-type="dfn">WebOTP API</a>, i.e., via <code><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get" id="ref-for-dom-credentialscontainer-get⑦">navigator.credentials.get({otp: { transport: ["sms"]}})</a></code>.
If disabled in any document, no content in the document will be <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use" id="ref-for-allowed-to-use①">allowed to use</a> the foregoing methods: attempting to do so will <a href="https://www.w3.org/2001/tag/doc/promises-guide#errors">return an error</a>.</p>
   <h3 class="heading settled" data-level="2.6" id="sctn-iframe-guidance"><span class="secno">2.6. </span><span class="content">Using WebOTP within <code>iframe</code> elements</span><a class="self-link" href="#sctn-iframe-guidance"></a></h3>
   <p>The <a data-link-type="dfn">WebOTP API</a> is available in inner frames when the origins match but it’s disabled by default in cross-origin <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element">iframe</a></code>s.
To override this default policy and indicate that a cross-origin <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element①">iframe</a></code> is allowed to invoke the <a data-link-type="dfn">WebOTP API</a>'s <code class="idl"><a data-link-type="idl" href="#dom-otpcredential-discoverfromexternalsource-slot" id="ref-for-dom-otpcredential-discoverfromexternalsource-slot③">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a></code> method, specify the <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow" id="ref-for-attr-iframe-allow">allow</a></code> attribute on the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element②">iframe</a></code> element and include the <code><a data-link-type="dfn" href="#otp-credentials-feature" id="ref-for-otp-credentials-feature">otp-credentialst</a></code> feature-identifier token in the <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow" id="ref-for-attr-iframe-allow①">allow</a></code> attribute’s value.</p>
   <p><a data-link-type="dfn">Relying Parties</a> utilizing the WebOTP API in an embedded context should review <a href="#sctn-seccons-visibility">§ 4.4 Visibility Considerations for Embedded Usage</a> regarding <a data-link-type="dfn" href="#ui-redressing" id="ref-for-ui-redressing">UI redressing</a> and its possible mitigations.</p>
   <h2 class="heading settled" data-level="3" id="transports"><span class="secno">3. </span><span class="content">Transports</span><a class="self-link" href="#transports"></a></h2>
   <p>We expect a variety of different transport mechanisms to enable OTPs
to be received, most notably via SMS, email and hardware devices.</p>
   <p>Each of these transport mechanisms will need their own conventions on
how to provide OTPs to the browser.</p>
   <p>In this draft, we leave the API surface to be extensible to any number
of transports.</p>
   <h3 class="heading settled" data-level="3.1" id="transports-sms"><span class="secno">3.1. </span><span class="content">SMS</span><a class="self-link" href="#transports-sms"></a></h3>
   <p>One of the most commonly used transport mechanisms for OTP is via
SMS messages, allowing developers to verify phone numbers. They
are typically sent embedded in an SMS message, which gets copied and
pasted by users.</p>
   <p><a data-link-type="biblio" href="#biblio-sms-one-time-codes">[sms-one-time-codes]</a> defines <a data-link-type="dfn" href="https://wicg.github.io/sms-one-time-codes/#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message②">origin-bound one-time code messages</a>, a format for sending OTPs over SMS and associating them with origins.</p>
   <h2 class="heading settled" data-level="4" id="security"><span class="secno">4. </span><span class="content">Security</span><a class="self-link" href="#security"></a></h2>
   <p>From a security perspective, there are two considerations with this
API:</p>
   <ul>
    <li data-md>
     <p>tampering: preventing attacks based on the modification of the message.</p>
   </ul>
   <h3 class="heading settled" data-level="4.1" id="security-availability"><span class="secno">4.1. </span><span class="content">Availability</span><a class="self-link" href="#security-availability"></a></h3>
   <p>This API is only available on:</p>
   <ul>
    <li data-md>
     <p>https (or localhost, for development purposes)</p>
   </ul>
   <p>This API is also only available via https or localhost (for development
purposes). We don’t entirely adopt the concept of trustworthy urls
because it covers more schemes (e.g. data://123) than we would like to
(our initial intuition is that (a) https and localhost covers most
cases and (b) it needs to be clear to the user what public facing
entity its sending the SMS).</p>
   <h3 class="heading settled" data-level="4.2" id="security-addressing"><span class="secno">4.2. </span><span class="content">Addressing</span><a class="self-link" href="#security-addressing"></a></h3>
   <p>Each transport mechanism is responsible for guaranteeing that the
browser has enough information to route the OTP appropriately to the
intended origin.</p>
   <p>For example, <a data-link-type="dfn" href="https://wicg.github.io/sms-one-time-codes/#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message③">origin-bound one-time code messages</a> explicitly
identify the origin on which the OTP can be used.</p>
   <p>The addressing scheme must be enforced by the agent to guarantee that
it gets routed appropriately.</p>
   <h3 class="heading settled" data-level="4.3" id="security-tampering"><span class="secno">4.3. </span><span class="content">Tampering</span><a class="self-link" href="#security-tampering"></a></h3>
   <p>There isn’t any built-in cryptographic guarantee that the OTP that is
being handed back by this API hasn’t been tampered with. For example,
an attacker could send an <a data-link-type="dfn" href="https://wicg.github.io/sms-one-time-codes/#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message④">origin-bound one-time code message</a> to the
user’s phone with an arbitrary origin which the agent happilly passes
back to the requesting call.</p>
   <div class="example" id="example-2de70cc1">
    <a class="self-link" href="#example-2de70cc1"></a> 
<pre>Your verification code is: MUAHAHAHA

@example.com #MUAHAHAHA
</pre>
   </div>
   <p>It is the responsibility for the caller to:</p>
   <ul>
    <li data-md>
     <p>put in place the checks necessary to verify that the OTP that was received
is a valid one, for example:</p>
     <ul>
      <li data-md>
       <p>parsing it carefully according to its known formatting expectations
(e.g. only alpha numeric values),</p>
      <li data-md>
       <p>storing and checking OTPs that were sent on a server side database.</p>
     </ul>
    <li data-md>
     <p>degrade gracefully when an invalid OTP is received (e.g. re-request one).</p>
   </ul>
   <h3 class="heading settled" data-level="4.4" id="sctn-seccons-visibility"><span class="secno">4.4. </span><span class="content">Visibility Considerations for Embedded Usage</span><a class="self-link" href="#sctn-seccons-visibility"></a></h3>
   <p>Simplistic use of WebOTP in an embedded context, e.g., within <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element③">iframe</a></code>s as described in <a href="#sctn-iframe-guidance">§ 2.6 Using WebOTP within iframe elements</a>, may make users vulnerable to <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="ui-redressing">UI Redressing</dfn> attacks, also known as "<a href="https://en.wikipedia.org/wiki/Clickjacking">Clickjacking</a>". This is where an attacker overlays their own UI on top of a <a data-link-type="dfn">Relying Party</a>'s intended UI and attempts to trick the user into performing unintended actions with the <a data-link-type="dfn">Relying Party</a>. For example, using these techniques, an attacker might be able to trick users into purchasing items, transferring money, etc.</p>
   <h2 class="heading settled" data-level="5" id="privacy"><span class="secno">5. </span><span class="content">Privacy</span><a class="self-link" href="#privacy"></a></h2>
   <p>From a privacy perspective, the most notable consideration is for a user agent
to enforce the consensual exchange of information between the user and the
website.</p>
   <p>Specifically, this API allows the programatic verification of personally
identifiable attributes of the user, for example email addresses and phone
numbers.</p>
   <p>The attack vector that is most frequently raised is a targeted attack:
websites trying to find a <strong>very</strong> specific user accross all of its user
base. In this attack, if left unattended, a website can use this API to
try to find a <strong>specific</strong> user that owns a <strong>specific</strong> phone number by
sending all / some (depending on the confidence level) of its users an <a data-link-type="dfn" href="https://wicg.github.io/sms-one-time-codes/#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message⑤">origin-bound one-time code message</a> and detecting when one is received.</p>
   <p>Notably, this API doesn’t help with the <strong>acquisition</strong> of the personal
information, but rather with its <strong>verification</strong>. That is, this API helps <strong>verifying</strong> whether the user owns a specific phone number, but doesn’t
help acquiring the phone number in the first place (it assumes that the
website already has access to it).</p>
   <p>Nonetheless, the verification of the possession of these attributes is extra
information about the user and should be handled responsibly by a user
agent, typically via <strong>permission prompts</strong> before handing back the OTP
to the website.</p>
   <h2 class="heading settled" data-level="6" id="acknowledgements"><span class="secno">6. </span><span class="content">Acknowledgements</span><a class="self-link" href="#acknowledgements"></a></h2>
   <p>Many thanks to
Steven Soneff,
Ayu Ishii,
Reilly Grant,
Eiji Kitamura,
Alex Russell,
Owen Campbell-Moore,
Joshua Bell,
Ricky Mondello and
Mike West
for helping craft this proposal.</p>
   <p>Special thanks to Tab Atkins, Jr. for creating and maintaining <a href="https://github.com/tabatkins/bikeshed">Bikeshed</a>, the specification
authoring tool used to create this document, and for his general
authoring advice.</p>
  </main>
  <div data-fill-with="conformance">
   <h2 class="no-ref no-num heading settled" id="w3c-conformance"><span class="content">Conformance</span><a class="self-link" href="#w3c-conformance"></a></h2>
   <h3 class="no-ref no-num heading settled" id="w3c-conventions"><span class="content">Document conventions</span><a class="self-link" href="#w3c-conventions"></a></h3>
   <p>Conformance requirements are expressed
    with a combination of descriptive assertions
    and RFC 2119 terminology.
    The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL”
    in the normative parts of this document
    are to be interpreted as described in RFC 2119.
    However, for readability,
    these words do not appear in all uppercase letters in this specification. </p>
   <p>All of the text of this specification is normative
    except sections explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a> </p>
   <p>Examples in this specification are introduced with the words “for example”
    or are set apart from the normative text
    with <code>class="example"</code>,
    like this: </p>
   <div class="example" id="w3c-example">
    <a class="self-link" href="#w3c-example"></a> 
    <p>This is an example of an informative example. </p>
   </div>
   <p>Informative notes begin with the word “Note”
    and are set apart from the normative text
    with <code>class="note"</code>,
    like this: </p>
   <p class="note" role="note">Note, this is an informative note. </p>
   <h3 class="no-ref no-num heading settled" id="w3c-conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#w3c-conformant-algorithms"></a></h3>
   <p>Requirements phrased in the imperative as part of algorithms
    (such as "strip any leading space characters"
    or "return false and abort these steps")
    are to be interpreted with the meaning of the key word
    ("must", "should", "may", etc)
    used in introducing the algorithm. </p>
   <p>Conformance requirements phrased as algorithms or specific steps
    can be implemented in any manner,
    so long as the end result is equivalent.
    In particular, the algorithms defined in this specification
    are intended to be easy to understand
    and are not intended to be performant.
    Implementers are encouraged to optimize. </p>
  </div>
<script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script>
  <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="index">
   <li><a href="#dom-otpcredential-code">code</a><span>, in §2.1</span>
   <li><a href="#dom-otpcredential-discoverfromexternalsource-slot">[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</a><span>, in §2.1.1</span>
   <li><a href="#dom-credentialrequestoptions-otp">otp</a><span>, in §2.2</span>
   <li><a href="#otpcredential">OTPCredential</a><span>, in §2.1</span>
   <li><a href="#dictdef-otpcredentialrequestoptions">OTPCredentialRequestOptions</a><span>, in §2.3</span>
   <li><a href="#otp-credentials-feature">otp-credentials-feature</a><span>, in §2.5</span>
   <li><a href="#enumdef-otpcredentialtransporttype">OTPCredentialTransportType</a><span>, in §2.4</span>
   <li><a href="#dom-otpcredentialtransporttype-sms">"sms"</a><span>, in §2.4</span>
   <li><a href="#dom-otpcredentialtransporttype-sms">sms</a><span>, in §2.4</span>
   <li><a href="#dom-otpcredentialrequestoptions-transport">transport</a><span>, in §2.3</span>
   <li><a href="#dom-otpcredential-type-slot">[[type]]</a><span>, in §2.1</span>
   <li><a href="#ui-redressing">UI Redressing</a><span>, in §4.4</span>
  </ul>
  <aside class="dfn-panel" data-for="term-for-credential">
   <a href="https://w3c.github.io/webappsec-credential-management/#credential">https://w3c.github.io/webappsec-credential-management/#credential</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential">2. Client Side API</a> <a href="#ref-for-credential①">(2)</a>
    <li><a href="#ref-for-credential②">2.1. The OTPCredential Interface</a> <a href="#ref-for-credential③">(2)</a> <a href="#ref-for-credential④">(3)</a> <a href="#ref-for-credential⑤">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dictdef-credentialrequestoptions">
   <a href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions">https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-credentialrequestoptions">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dictdef-credentialrequestoptions①">2.2. CredentialRequestOptions</a> <a href="#ref-for-dictdef-credentialrequestoptions②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-credentialscontainer">
   <a href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer">https://w3c.github.io/webappsec-credential-management/#credentialscontainer</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentialscontainer">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-abstract-opdef-request-a-credential">
   <a href="https://w3c.github.io/webappsec-credential-management/#abstract-opdef-request-a-credential">https://w3c.github.io/webappsec-credential-management/#abstract-opdef-request-a-credential</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-abstract-opdef-request-a-credential">2. Client Side API</a>
    <li><a href="#ref-for-abstract-opdef-request-a-credential①">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-collectfromcredentialstore-origin-options-sameoriginwithancestors">
   <a href="https://w3c.github.io/webappsec-credential-management/#collectfromcredentialstore-origin-options-sameoriginwithancestors">https://w3c.github.io/webappsec-credential-management/#collectfromcredentialstore-origin-options-sameoriginwithancestors</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-collectfromcredentialstore-origin-options-sameoriginwithancestors">2. Client Side API</a>
    <li><a href="#ref-for-collectfromcredentialstore-origin-options-sameoriginwithancestors①">2.1. The OTPCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credential-type-slot">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type-slot">https://w3c.github.io/webappsec-credential-management/#dom-credential-type-slot</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credential-type-slot">2.1. The OTPCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credentialscontainer-get">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialscontainer-get">2. Client Side API</a> <a href="#ref-for-dom-credentialscontainer-get①">(2)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get②">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-credentialscontainer-get③">(2)</a> <a href="#ref-for-dom-credentialscontainer-get④">(3)</a>
    <li><a href="#ref-for-dom-credentialscontainer-get⑤">2.2. CredentialRequestOptions</a>
    <li><a href="#ref-for-dom-credentialscontainer-get⑥">2.3. OTPCredentialRequestOptions</a>
    <li><a href="#ref-for-dom-credentialscontainer-get⑦">2.5. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credential-id">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id">https://w3c.github.io/webappsec-credential-management/#dom-credential-id</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credential-id">2.1. The OTPCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-same-origin-with-its-ancestors">
   <a href="https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors">https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-same-origin-with-its-ancestors">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-credentialrequestoptions-signal">
   <a href="https://w3c.github.io/webappsec-credential-management/#dom-credentialrequestoptions-signal">https://w3c.github.io/webappsec-credential-management/#dom-credentialrequestoptions-signal</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialrequestoptions-signal">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-user-mediated">
   <a href="https://w3c.github.io/webappsec-credential-management/#user-mediated">https://w3c.github.io/webappsec-credential-management/#user-mediated</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-mediated">2. Client Side API</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-document">
   <a href="https://dom.spec.whatwg.org/#document">https://dom.spec.whatwg.org/#document</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-document">2.5. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-abortsignal-aborted-flag">
   <a href="https://dom.spec.whatwg.org/#abortsignal-aborted-flag">https://dom.spec.whatwg.org/#abortsignal-aborted-flag</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-abortsignal-aborted-flag">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-documentfragment-host">
   <a href="https://dom.spec.whatwg.org/#concept-documentfragment-host">https://dom.spec.whatwg.org/#concept-documentfragment-host</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-documentfragment-host">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-documentfragment-host①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-credentials">
   <a href="https://fetch.spec.whatwg.org/#credentials">https://fetch.spec.whatwg.org/#credentials</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credentials">2. Client Side API</a> <a href="#ref-for-credentials①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-attr-iframe-allow">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attr-iframe-allow">2.6. Using WebOTP within iframe elements</a> <a href="#ref-for-attr-iframe-allow①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-allowed-to-use">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-allowed-to-use">2.5. Permissions Policy integration</a> <a href="#ref-for-allowed-to-use①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-origin-domain">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-domain">https://html.spec.whatwg.org/multipage/origin.html#concept-origin-domain</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-origin-domain">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-origin-domain①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-origin-effective-domain">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain">https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-origin-effective-domain">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-concept-origin-effective-domain①">(2)</a> <a href="#ref-for-concept-origin-effective-domain②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-environment-settings-object">
   <a href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-environment-settings-object">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-the-iframe-element">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-the-iframe-element">2.6. Using WebOTP within iframe elements</a> <a href="#ref-for-the-iframe-element①">(2)</a> <a href="#ref-for-the-iframe-element②">(3)</a>
    <li><a href="#ref-for-the-iframe-element③">4.4. Visibility Considerations for Embedded Usage</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-origin-opaque">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque">https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-origin-opaque">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-settings-object-origin">
   <a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-settings-object-origin">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-document-permissions-policy">
   <a href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy">https://html.spec.whatwg.org/multipage/dom.html#concept-document-permissions-policy</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-document-permissions-policy">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-concept-document-permissions-policy①">2.5. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-relevant-settings-object">
   <a href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-relevant-settings-object">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-default-allowlist">
   <a href="https://w3c.github.io/webappsec-permissions-policy/#default-allowlist">https://w3c.github.io/webappsec-permissions-policy/#default-allowlist</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-default-allowlist">2.5. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-policy-controlled-feature">
   <a href="https://w3c.github.io/webappsec-permissions-policy/#policy-controlled-feature">https://w3c.github.io/webappsec-permissions-policy/#policy-controlled-feature</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-controlled-feature">2.5. Permissions Policy integration</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-origin-bound-one-time-code-message">
   <a href="https://wicg.github.io/sms-one-time-codes/#origin-bound-one-time-code-message">https://wicg.github.io/sms-one-time-codes/#origin-bound-one-time-code-message</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-origin-bound-one-time-code-message">1.2. The server side API</a> <a href="#ref-for-origin-bound-one-time-code-message①">(2)</a>
    <li><a href="#ref-for-origin-bound-one-time-code-message②">3.1. SMS</a>
    <li><a href="#ref-for-origin-bound-one-time-code-message③">4.2. Addressing</a>
    <li><a href="#ref-for-origin-bound-one-time-code-message④">4.3. Tampering</a>
    <li><a href="#ref-for-origin-bound-one-time-code-message⑤">5. Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-empty-host">
   <a href="https://url.spec.whatwg.org/#empty-host">https://url.spec.whatwg.org/#empty-host</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-empty-host">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-ipv4">
   <a href="https://url.spec.whatwg.org/#concept-ipv4">https://url.spec.whatwg.org/#concept-ipv4</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-ipv4">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-ipv6">
   <a href="https://url.spec.whatwg.org/#concept-ipv6">https://url.spec.whatwg.org/#concept-ipv6</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-ipv6">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-opaque-host">
   <a href="https://url.spec.whatwg.org/#opaque-host">https://url.spec.whatwg.org/#opaque-host</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-opaque-host">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-aborterror">
   <a href="https://heycam.github.io/webidl/#aborterror">https://heycam.github.io/webidl/#aborterror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-aborterror">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-DOMException">
   <a href="https://heycam.github.io/webidl/#idl-DOMException">https://heycam.github.io/webidl/#idl-DOMException</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-DOMException">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-idl-DOMException①">(2)</a> <a href="#ref-for-idl-DOMException②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-DOMString">
   <a href="https://heycam.github.io/webidl/#idl-DOMString">https://heycam.github.io/webidl/#idl-DOMString</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-DOMString">2.1. The OTPCredential Interface</a> <a href="#ref-for-idl-DOMString①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-Exposed">
   <a href="https://heycam.github.io/webidl/#Exposed">https://heycam.github.io/webidl/#Exposed</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-Exposed">2.1. The OTPCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-notallowederror">
   <a href="https://heycam.github.io/webidl/#notallowederror">https://heycam.github.io/webidl/#notallowederror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-notallowederror">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-promise">
   <a href="https://heycam.github.io/webidl/#idl-promise">https://heycam.github.io/webidl/#idl-promise</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-promise">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-SecureContext">
   <a href="https://heycam.github.io/webidl/#SecureContext">https://heycam.github.io/webidl/#SecureContext</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-SecureContext">2.1. The OTPCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-securityerror">
   <a href="https://heycam.github.io/webidl/#securityerror">https://heycam.github.io/webidl/#securityerror</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-securityerror">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dfn-interface-object">
   <a href="https://heycam.github.io/webidl/#dfn-interface-object">https://heycam.github.io/webidl/#dfn-interface-object</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dfn-interface-object">2.1. The OTPCredential Interface</a> <a href="#ref-for-dfn-interface-object①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-sequence">
   <a href="https://heycam.github.io/webidl/#idl-sequence">https://heycam.github.io/webidl/#idl-sequence</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-sequence">2.3. OTPCredentialRequestOptions</a>
   </ul>
  </aside>
  <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="index">
   <li>
    <a data-link-type="biblio">[CREDENTIAL-MANAGEMENT-1]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-credential">Credential</span>
     <li><span class="dfn-paneled" id="term-for-dictdef-credentialrequestoptions">CredentialRequestOptions</span>
     <li><span class="dfn-paneled" id="term-for-credentialscontainer">CredentialsContainer</span>
     <li><span class="dfn-paneled" id="term-for-abstract-opdef-request-a-credential">Request a Credential</span>
     <li><span class="dfn-paneled" id="term-for-collectfromcredentialstore-origin-options-sameoriginwithancestors">[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)</span>
     <li><span class="dfn-paneled" id="term-for-dom-credential-type-slot">[[type]]</span>
     <li><span class="dfn-paneled" id="term-for-dom-credentialscontainer-get">get()</span>
     <li><span class="dfn-paneled" id="term-for-dom-credential-id">id</span>
     <li><span class="dfn-paneled" id="term-for-same-origin-with-its-ancestors">same-origin with its ancestors</span>
     <li><span class="dfn-paneled" id="term-for-dom-credentialrequestoptions-signal">signal</span>
     <li><span class="dfn-paneled" id="term-for-user-mediated">user mediation</span>
    </ul>
   <li>
    <a data-link-type="biblio">[DOM]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-document">Document</span>
     <li><span class="dfn-paneled" id="term-for-abortsignal-aborted-flag">aborted flag</span>
     <li><span class="dfn-paneled" id="term-for-concept-documentfragment-host">host</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FETCH]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-credentials">credentials</span>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-attr-iframe-allow">allow</span>
     <li><span class="dfn-paneled" id="term-for-allowed-to-use">allowed to use</span>
     <li><span class="dfn-paneled" id="term-for-concept-origin-domain">domain</span>
     <li><span class="dfn-paneled" id="term-for-concept-origin-effective-domain">effective domain</span>
     <li><span class="dfn-paneled" id="term-for-environment-settings-object">environment settings object</span>
     <li><span class="dfn-paneled" id="term-for-the-iframe-element">iframe</span>
     <li><span class="dfn-paneled" id="term-for-concept-origin-opaque">opaque origin</span>
     <li><span class="dfn-paneled" id="term-for-concept-settings-object-origin">origin</span>
     <li><span class="dfn-paneled" id="term-for-concept-document-permissions-policy">permissions policy</span>
     <li><span class="dfn-paneled" id="term-for-relevant-settings-object">relevant settings object</span>
    </ul>
   <li>
    <a data-link-type="biblio">[Permissions-Policy]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-default-allowlist">default allowlist</span>
     <li><span class="dfn-paneled" id="term-for-policy-controlled-feature">policy-controlled feature</span>
    </ul>
   <li>
    <a data-link-type="biblio">[sms-one-time-codes]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-origin-bound-one-time-code-message">origin-bound one-time code message</span>
    </ul>
   <li>
    <a data-link-type="biblio">[URL]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-empty-host">empty host</span>
     <li><span class="dfn-paneled" id="term-for-concept-ipv4">ipv4 address</span>
     <li><span class="dfn-paneled" id="term-for-concept-ipv6">ipv6 address</span>
     <li><span class="dfn-paneled" id="term-for-opaque-host">opaque host</span>
    </ul>
   <li>
    <a data-link-type="biblio">[WebIDL]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-aborterror">AbortError</span>
     <li><span class="dfn-paneled" id="term-for-idl-DOMException">DOMException</span>
     <li><span class="dfn-paneled" id="term-for-idl-DOMString">DOMString</span>
     <li><span class="dfn-paneled" id="term-for-Exposed">Exposed</span>
     <li><span class="dfn-paneled" id="term-for-notallowederror">NotAllowedError</span>
     <li><span class="dfn-paneled" id="term-for-idl-promise">Promise</span>
     <li><span class="dfn-paneled" id="term-for-SecureContext">SecureContext</span>
     <li><span class="dfn-paneled" id="term-for-securityerror">SecurityError</span>
     <li><span class="dfn-paneled" id="term-for-dfn-interface-object">interface object</span>
     <li><span class="dfn-paneled" id="term-for-idl-sequence">sequence</span>
    </ul>
  </ul>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]
   <dd>Mike West. <a href="https://www.w3.org/TR/credential-management-1/">Credential Management Level 1</a>. 17 January 2019. WD. URL: <a href="https://www.w3.org/TR/credential-management-1/">https://www.w3.org/TR/credential-management-1/</a>
   <dt id="biblio-dom">[DOM]
   <dd>Anne van Kesteren. <a href="https://dom.spec.whatwg.org/">DOM Standard</a>. Living Standard. URL: <a href="https://dom.spec.whatwg.org/">https://dom.spec.whatwg.org/</a>
   <dt id="biblio-fetch">[FETCH]
   <dd>Anne van Kesteren. <a href="https://fetch.spec.whatwg.org/">Fetch Standard</a>. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
   <dt id="biblio-html">[HTML]
   <dd>Anne van Kesteren; et al. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
   <dt id="biblio-permissions-policy">[Permissions-Policy]
   <dd>Ian Clelland. <a href="https://www.w3.org/TR/permissions-policy-1/">Permissions Policy</a>. 16 July 2020. WD. URL: <a href="https://www.w3.org/TR/permissions-policy-1/">https://www.w3.org/TR/permissions-policy-1/</a>
   <dt id="biblio-rfc2119">[RFC2119]
   <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
   <dt id="biblio-sms-one-time-codes">[SMS-ONE-TIME-CODES]
   <dd><a href="https://wicg.github.io/sms-one-time-codes/">Origin-bound one-time codes delivered via SMS</a>. cg-draft. URL: <a href="https://wicg.github.io/sms-one-time-codes/">https://wicg.github.io/sms-one-time-codes/</a>
   <dt id="biblio-webidl">[WebIDL]
   <dd>Boris Zbarsky. <a href="https://heycam.github.io/webidl/">Web IDL</a>. 15 December 2016. ED. URL: <a href="https://heycam.github.io/webidl/">https://heycam.github.io/webidl/</a>
  </dl>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-url">[URL]
   <dd>Anne van Kesteren. <a href="https://url.spec.whatwg.org/">URL Standard</a>. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a>
  </dl>
  <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">IDL Index</span><a class="self-link" href="#idl-index"></a></h2>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed"><c- g>Exposed</c-></a>=<c- n>Window</c->, <a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext"><c- g>SecureContext</c-></a>]
<c- b>interface</c-> <a href="#otpcredential"><code><c- g>OTPCredential</c-></code></a> : <a data-link-type="idl-name" href="https://w3c.github.io/webappsec-credential-management/#credential"><c- n>Credential</c-></a> {
    <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><c- b>DOMString</c-></a> <a class="idl-code" data-link-type="attribute" data-readonly data-type="DOMString" href="#dom-otpcredential-code"><c- g>code</c-></a>;
};

<c- b>partial</c-> <c- b>dictionary</c-> <a class="idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialrequestoptions"><c- g>CredentialRequestOptions</c-></a> {
    <a data-link-type="idl-name" href="#dictdef-otpcredentialrequestoptions"><c- n>OTPCredentialRequestOptions</c-></a> <a class="idl-code" data-link-type="dict-member" data-type="OTPCredentialRequestOptions " href="#dom-credentialrequestoptions-otp"><c- g>otp</c-></a>;
};

<c- b>dictionary</c-> <a href="#dictdef-otpcredentialrequestoptions"><code><c- g>OTPCredentialRequestOptions</c-></code></a> {
  <a data-link-type="dfn" href="https://heycam.github.io/webidl/#idl-sequence"><c- b>sequence</c-></a>&lt;<a data-link-type="idl-name" href="#enumdef-otpcredentialtransporttype"><c- n>OTPCredentialTransportType</c-></a>> <a class="idl-code" data-default="[]" data-link-type="dict-member" data-type="sequence<OTPCredentialTransportType> " href="#dom-otpcredentialrequestoptions-transport"><c- g>transport</c-></a> = [];
};

<c- b>enum</c-> <a href="#enumdef-otpcredentialtransporttype"><code><c- g>OTPCredentialTransportType</c-></code></a> {
    <a class="idl-code" data-link-type="enum-value" href="#dom-otpcredentialtransporttype-sms"><c- s>"sms"</c-></a>,
};

</pre>
  <aside class="dfn-panel" data-for="otpcredential">
   <b><a href="#otpcredential">#otpcredential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-otpcredential">2. Client Side API</a>
    <li><a href="#ref-for-otpcredential①">2.1. The OTPCredential Interface</a> <a href="#ref-for-otpcredential②">(2)</a> <a href="#ref-for-otpcredential③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-otpcredential-code">
   <b><a href="#dom-otpcredential-code">#dom-otpcredential-code</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-otpcredential-code">2.1. The OTPCredential Interface</a> <a href="#ref-for-dom-otpcredential-code①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-otpcredential-discoverfromexternalsource-slot">
   <b><a href="#dom-otpcredential-discoverfromexternalsource-slot">#dom-otpcredential-discoverfromexternalsource-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-otpcredential-discoverfromexternalsource-slot">2. Client Side API</a> <a href="#ref-for-dom-otpcredential-discoverfromexternalsource-slot①">(2)</a>
    <li><a href="#ref-for-dom-otpcredential-discoverfromexternalsource-slot②">2.1. The OTPCredential Interface</a>
    <li><a href="#ref-for-dom-otpcredential-discoverfromexternalsource-slot③">2.6. Using WebOTP within iframe elements</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-credentialrequestoptions-otp">
   <b><a href="#dom-credentialrequestoptions-otp">#dom-credentialrequestoptions-otp</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialrequestoptions-otp">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a> <a href="#ref-for-dom-credentialrequestoptions-otp①">(2)</a> <a href="#ref-for-dom-credentialrequestoptions-otp②">(3)</a> <a href="#ref-for-dom-credentialrequestoptions-otp③">(4)</a>
    <li><a href="#ref-for-dom-credentialrequestoptions-otp④">2.2. CredentialRequestOptions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-otpcredentialrequestoptions">
   <b><a href="#dictdef-otpcredentialrequestoptions">#dictdef-otpcredentialrequestoptions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-otpcredentialrequestoptions">2.1.1. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method</a>
    <li><a href="#ref-for-dictdef-otpcredentialrequestoptions①">2.2. CredentialRequestOptions</a> <a href="#ref-for-dictdef-otpcredentialrequestoptions②">(2)</a>
    <li><a href="#ref-for-dictdef-otpcredentialrequestoptions③">2.3. OTPCredentialRequestOptions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-otpcredentialrequestoptions-transport">
   <b><a href="#dom-otpcredentialrequestoptions-transport">#dom-otpcredentialrequestoptions-transport</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-otpcredentialrequestoptions-transport">2.3. OTPCredentialRequestOptions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-otpcredentialtransporttype">
   <b><a href="#enumdef-otpcredentialtransporttype">#enumdef-otpcredentialtransporttype</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-otpcredentialtransporttype">2.3. OTPCredentialRequestOptions</a> <a href="#ref-for-enumdef-otpcredentialtransporttype①">(2)</a> <a href="#ref-for-enumdef-otpcredentialtransporttype②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-otpcredentialtransporttype-sms">
   <b><a href="#dom-otpcredentialtransporttype-sms">#dom-otpcredentialtransporttype-sms</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-otpcredentialtransporttype-sms">2.4. OTPCredentialTransportType</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="otp-credentials-feature">
   <b><a href="#otp-credentials-feature">#otp-credentials-feature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-otp-credentials-feature">2.6. Using WebOTP within iframe elements</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="ui-redressing">
   <b><a href="#ui-redressing">#ui-redressing</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ui-redressing">2.6. Using WebOTP within iframe elements</a>
   </ul>
  </aside>
<script>/* script-dfn-panel */

document.body.addEventListener("click", function(e) {
    var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); }
    // Find the dfn element or panel, if any, that was clicked on.
    var el = e.target;
    var target;
    var hitALink = false;
    while(el.parentElement) {
        if(el.tagName == "A") {
            // Clicking on a link in a <dfn> shouldn't summon the panel
            hitALink = true;
        }
        if(el.classList.contains("dfn-paneled")) {
            target = "dfn";
            break;
        }
        if(el.classList.contains("dfn-panel")) {
            target = "dfn-panel";
            break;
        }
        el = el.parentElement;
    }
    if(target != "dfn-panel") {
        // Turn off any currently "on" or "activated" panels.
        queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){
            el.classList.remove("on");
            el.classList.remove("activated");
        });
    }
    if(target == "dfn" && !hitALink) {
        // open the panel
        var dfnPanel = document.querySelector(".dfn-panel[data-for='" + el.id + "']");
        if(dfnPanel) {
            dfnPanel.classList.add("on");
            var rect = el.getBoundingClientRect();
            dfnPanel.style.left = window.scrollX + rect.right + 5 + "px";
            dfnPanel.style.top = window.scrollY + rect.top + "px";
            var panelRect = dfnPanel.getBoundingClientRect();
            var panelWidth = panelRect.right - panelRect.left;
            if(panelRect.right > document.body.scrollWidth && (rect.left - (panelWidth + 5)) > 0) {
                // Reposition, because the panel is overflowing
                dfnPanel.style.left = window.scrollX + rect.left - (panelWidth + 5) + "px";
            }
        } else {
            console.log("Couldn't find .dfn-panel[data-for='" + el.id + "']");
        }
    } else if(target == "dfn-panel") {
        // Switch it to "activated" state, which pins it.
        el.classList.add("activated");
        el.style.left = null;
        el.style.top = null;
    }

});
</script>