Sec-Private-State-Token-Lifetime header

The HTTP Sec-Private-State-Token-Lifetime Response Header is used by the Private State Token API during token redemption. It is sent by the redeemer server to indicate to the browser how long (in seconds) a redemption record should be cached for. The redemption record itself is sent in a Sec-Private-State-Token response header.

If the Sec-Private-State-Token-Lifetime header is omitted, the lifetime of the redemption record will be tied to the lifetime of the token verification key that confirmed the redeemed token's issuance.

Header type	Response Header
CORS-safelisted request header	No

Syntax

http

Sec-Private-State-Token-Lifetime: <integer>

Servers should ignore this header if it contains any other value.

Directives

<integer>: An integer specifying the lifetime of the sent redemption record in seconds.

Examples

http

Sec-Private-State-Token-Lifetime: 604800

Specifications

Specification
Private State Token API # sec-private-state-token-lifetime

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Dec 16, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content