The platformKeys permission allows an extension to access client certificates that are managed by the platform. These certificates are typically stored in a hardware-backed keystore (like a TPM).
This API is ChromeOS-only. chrome.platformKeys is not exposed on Windows, macOS, or Linux. For non-managed device-key flows on other platforms, see enterprise.platformKeys (also ChromeOS-only) or use an external native helper via nativeMessaging.
What it does
- Grants access to the
chrome.platformKeysAPI. - Allows an extension to request a list of available client certificates that match a given set of parameters.
- The extension can then use the private key of a chosen certificate to sign data.
- Crucially, the private key itself is never exposed to the extension. The platform (ChromeOS or the browser) performs the signing operation in a secure environment and returns the signature.
When to use it
This is for extensions that need to authenticate to a remote service (like a corporate VPN or a secure website) using a hardware-backed client certificate.
Examples:
- An extension that configures a VPN connection that requires certificate-based authentication.
- An extension that facilitates single sign-on to corporate resources using a device-level certificate.
Manifest Declaration
{
"name": "My Certificate Authenticator",
"version": "1.0",
"manifest_version": 3,
"permissions": [
"platformKeys"
]
}Security & Privacy
Why is it risky?
This is a high-security permission, usually for corporate environments. It lets an extension use the digital certificates stored in your computer's hardware to prove your identity to other services, like a company VPN or secure website.
A malicious extension could use this to impersonate you and log into secure systems as if it were you. The API is designed to be safe by never exposing the raw private key, but giving an extension the ability to use that key is still very risky. You should only see this permission on a work computer for an extension installed by your IT department.
API Usage Example
This example demonstrates how to find a certificate and use it to sign some data.
// background.js
async function signDataWithCertificate() {
if (!chrome.platformKeys) {
console.log('Platform Keys API not available (ChromeOS only).');
return;
}
try {
// 1. Ask Chrome for matching client certs. With `interactive: true`,
// the user is prompted to choose one; with false, only certs the
// extension already has user grants for are returned.
const matches = await chrome.platformKeys.selectClientCertificates({
request: {
certificateTypes: ['rsaSign'],
certificateAuthorities: [/* ArrayBuffer of a CA's public key */]
},
interactive: true
});
if (matches.length === 0) {
console.log('No matching certificate selected.');
return;
}
const match = matches[0];
// 2. Get a SubtleCrypto-shaped key handle for the selected cert.
// The actual signing happens inside the platform key store; the
// extension never sees the raw private key.
const keyPair = await chrome.platformKeys.getKeyPair(
match.certificate,
match.keyAlgorithm
);
// 3. Sign a challenge with that key handle via SubtleCrypto.
const dataToSign = new Uint8Array(32); // e.g., a server challenge
const signature = await chrome.platformKeys.subtleCrypto().sign(
{ name: 'RSASSA-PKCS1-v1_5' },
keyPair.privateKey,
dataToSign
);
console.log('Signature:', new Uint8Array(signature));
} catch (error) {
console.error('Signing failed:', error);
}
}Extensions with the platformKeys permission
Here are some popular browser extensions that use the "platformKeys" permission. To explore more, try our Advanced search.
Chrome extensions with "platformKeys" permission
8M 3.31 
(78)
600K 1.60 (15)
300K 4.43 (396)
30K 3.06 (174)
4K 2.88 (16)
2K 2.58 (60)
510 1.00 (1)
110 0.00 (0)
40 5.00 (3)
32 5.00 (3)
Firefox add-ons with "platformKeys" permission
Edge