The login permission gives a ChromeOS extension access to chrome.login, the API used to drive Managed Guest Sessions and to lock/unlock the current session on managed ChromeOS devices.
This is an enterprise-only and ChromeOS-only permission. It can only be used by extensions force-installed by enterprise policy on managed ChromeOS hardware.
What it does
- Drives Managed Guest Sessions (MGS) — sessions admins set up for shared kiosk-style devices. Methods include:
chrome.login.launchManagedGuestSession(password?)— start a managed guest session.chrome.login.exitCurrentSession(dataForNextLoginAttempt?)— sign out of the current session.chrome.login.fetchDataForNextLoginAttempt()— read data passed across sessions viaexitCurrentSession.chrome.login.lockManagedGuestSession()/unlockManagedGuestSession(password)— lock/unlock with a per-session password the extension chose.chrome.login.launchSharedManagedGuestSession(password)— start an MGS that can be shared between extensions on the device.
- Drives the current user session lock state for any managed ChromeOS user:
chrome.login.lockCurrentSession()— lock the screen.chrome.login.unlockCurrentSession(password)— unlock with the user's password.
- For SAML-based SSO flows, an extension can also pre-stage credentials with
launchSamlUserSessionWithToken(...)and signal external logout completion vianotifyExternalLogoutDone().
When to use it
This is for enterprise extensions that orchestrate session lifecycle on managed ChromeOS — typically kiosks, shared devices, lab carts, or custom enterprise login flows.
Examples:
- A kiosk extension that locks the device after each customer interaction and re-launches a clean managed guest session.
- A library / classroom shared-device extension that ends one student's session and resets state for the next user.
- A corporate SSO bridge that completes login by handing a token off to ChromeOS.
Manifest Declaration
{
"name": "My Enterprise Session Manager",
"version": "1.0",
"manifest_version": 3,
"permissions": [
"login"
]
}Security & Privacy
Why is it low risk on personal devices, high risk on managed ones?
chrome.login only loads on managed ChromeOS hardware where the extension was force-installed by enterprise policy. On a personal computer the API is unavailable, so a malicious extension declaring login cannot use it.
On a managed device the capability is significant: an extension with login can sign the user out, lock the screen, or relaunch a managed guest session. A misbehaving login extension can effectively hijack the session lifecycle. Enterprise IT should evaluate it accordingly.
API Usage Example
This example launches a managed guest session, then locks it with an extension-controlled password and unlocks it later.
// background.js — running on a managed ChromeOS device
async function startKioskShift() {
await chrome.login.launchManagedGuestSession();
}
async function lockForBreak(password) {
await chrome.login.lockManagedGuestSession();
// The supplied password is what `unlockManagedGuestSession` expects.
// Store/share it via your existing extension flow.
}
async function resumeFromBreak(password) {
await chrome.login.unlockManagedGuestSession(password);
}
async function endShift() {
// Optionally pass data for the next session to read via
// chrome.login.fetchDataForNextLoginAttempt().
await chrome.login.exitCurrentSession(JSON.stringify({ shift: 'ended' }));
}Extensions with the login permission
Here are some popular browser extensions that use the "login" permission. To explore more, try our Advanced search.
Chrome extensions with "login" permission
10K 0.00 
(0)
41 5.00 (3)
32 5.00 (3)
24 0.00 (0)
1 0.00 (0)
Edge
Firefox