Test the Email Verification Protocol with an origin trial

dbbk1 pts0 comments

Test the Email Verification Protocol with an origin trial | Blog | Chrome for Developers

Skip to main content

English

Deutsch

Español – América Latina

Français

Indonesia

Italiano

Nederlands

Polski

Português – Brasil

Tiếng Việt

Türkçe

Русский

עברית

العربيّة

فارسی

हिंदी

বাংলা

ภาษาไทย

中文 – 简体

中文 – 繁體

日本語

한국어

Sign in

Blog

Chrome for Developers

Blog

Test the Email Verification Protocol with an origin trial

Stay organized with collections

Save and categorize content based on your preferences.

Rowan Merewood

GitHub

Mastodon

Bluesky

Published: July 8, 2026

When collecting an email address as a part of a sign-up, sign-in, subscribe,<br>checkout, account recovery, or other process, it's common practice to confirm<br>that the email address is owned by the person entering it. Existing verification<br>methods, like one-time passwords (OTPs) or email verification links (magic<br>links), require the user to navigate away from your site. This disruptive<br>process can increase the risk of the user, whether a human or an agent,<br>abandoning their session entirely and never completing their authentication<br>process.

The Email Verification API is a proposal that allows the browser to communicate<br>directly with the email provider to verify that the user owns the email address.<br>Users select an email from the browser's autofill or autocomplete suggestion,<br>submit the form, and the site verifies the email address with the provider<br>without sending an email or interrupting the user's flow.

Email Verification API user prompt demo

Email collection is a critical conversion point in a user's journey, and Chrome<br>would like feedback on the proposal from sites<br>that want to verify emails, email providers that can perform the verification,<br>and users experiencing the process. You can<br>sign up for the origin trial<br>today and follow the implementation instructions here. For general origin trial<br>configuration, refer to Getting started with origin<br>trials.

You can try the flow with a demo account:

Issuer demo gives you a mock email<br>account and session

Verifier demo will verify any<br>participating provider

Note: Gmail is participating in the origin trial as a provider. You can test the<br>verification flow with any @gmail.com address without additional<br>configuration.<br>Email verification flow

The following sections explain what you and your users need to start the email<br>verification flow, and the whole workflow when using the Email Verification<br>Protocol.

Key terms

Key terms for the Email Verification API are as follows:

Verifier : The site that collects the email address and wants to verify<br>it. The verifier is also called the Relying<br>Party.

Email Provider : The service providing the user's email address, for<br>example gmail.com.

Issuer : The service that manages the account for the user's email, for<br>example accounts.google.com. The issuer is also called the Identity<br>Provider.

In some cases, the email provider and the issuer may operate from the same<br>domain. However, it's important to distinguish between having an email address<br>and having an active session for the associated account.

Email Verification flow architecture

Prerequisites

The user must be signed in to their email provider or issuer on the same<br>browser profile. For example, if they use Gmail, they must be signed into<br>their Google Account.

As a participating verifier site, you must sign up for the origin trial<br>and provide the token on the same page as your email form.

The user must select their email address from the autofill or autocomplete<br>drop-down.

If the user has previously entered an email address in the field, it<br>will be offered using autocomplete.

If the user has added their email address using Chrome settings<br>"Autofill and password" (chrome://settings/autofill) it will be<br>offered using autofill.

Note: Support for manually typed addresses is planned for a future release.

The first time a user provides an email address for verification they will<br>see a permission prompt. This only occurs once per email address.

Once the user has that active session in their browser, they can start the<br>process:

On a form with an email field, the user selects their email address from the<br>autocomplete drop-down. The verifier site provides a hidden field in the<br>form with a per-instance nonce to validate this request.

The browser will then retrieve the email verification DNS record for the<br>email domain. This points the browser to the issuer. The issuer will then<br>confirm that they have an active session for that email address.

Note: These requests don't reveal any additional information about the<br>user. The verifier site does not receive information during this step.<br>The issuer only sees a request to verify the user exists; it does not<br>see which site initiated the request.

The issuer will then provide their Email Verification Token (EVT) for the<br>address. The browser combines that into a key bound JWT with the EVT, the<br>site origin, and the nonce from the input form.

When...

email verification user address origin issuer

Related Articles