| Internet-Draft | WTX-1 | February 2026 |
| Surampudi | Expires 24 August 2026 | [Page] |
This document defines the WTX-1 (WaiTag Transfer Protocol, version 1) for preserving pseudonymous user context across unrelated web domains without third-party cookies, browser fingerprinting, login requirements, or personal data collection. The protocol uses cryptographically generated pseudonymous identifiers (WaiTags), URL hash fragment transport, server-side verification, and DNS-based domain authorization to enable privacy-respecting cross-domain analytics.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
Third-party cookies have been the primary mechanism for cross-domain user identification since the 1990s. With Safari's Intelligent Tracking Prevention (ITP [ITP]) deployed in 2017, Firefox Enhanced Tracking Protection (ETP) in 2019, and Chrome's Privacy Sandbox initiative beginning in 2024, this mechanism is being eliminated across all major browsers.¶
When a user navigates from one domain to an unrelated domain (different effective top-level domain plus one label, or eTLD+1), analytics systems lose the ability to understand that the same visitor made both visits. This creates blind spots in patient journey analytics across healthcare providers, financial customer experience across banking portals, government service usage across agency domains, and multi-brand retail analytics.¶
Existing solutions have significant limitations: browser fingerprinting is ethically problematic and legally risky; login-based identity excludes anonymous visitors; first-party data sharing requires business partnerships and PII exchange; Privacy Sandbox Topics API is coarse-grained, advertising-focused, and Chrome-only.¶
WTX-1 addresses these limitations by defining a protocol that:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The WTX-1 protocol operates in seven steps across three participants: the origin domain, the destination domain, and the verification server.¶
Domain A Verification Domain B
(Origin) Server (Destination)
| | |
1. User visits | |
2. Generate WaiTag | |
3. Register WaiTag ---->| |
| 4. Store WaiTag |
| | |
5. User clicks link | |
to Domain B | |
6. Request token ------>| |
| 7. Verify DNS |
| authorization |
|<--------- 8. Return signed token |
| | |
9. Append token to | |
URL hash fragment | |
| | |
|--- User navigates to Domain B ----------->|
| | |
| | 10. Read token |
| | from hash |
| |<---- 11. Verify token |
| | |
| 12. Check signature, |
| expiry, domain |
| | |
| |----> 13. Return |
| | identity |
| | |
| | 14. Restore WaiTag |
| | Clean URL |
A WaiTag has the following structure:¶
wai_<timestamp>_<random><domain_hash>¶
| Component | Encoding | Length | Source |
|---|---|---|---|
| Prefix | ASCII | 4 chars | Literal "wai_" |
| Timestamp | Base-36 | ~8 chars | Current time in milliseconds |
| Separator | ASCII | 1 char | Literal "_" |
| Random ID | Base-36 | 11 chars | crypto.getRandomValues (8 bytes) |
| Domain Hash | Hex | 8 chars | One-way hash of hostname |
A WaiTag has the following properties:¶
Implementations MUST generate WaiTags using crypto.getRandomValues [W3C-WebCryptoAPI] or an equivalent cryptographically secure pseudorandom number generator (CSPRNG). If the Web Crypto API is not available, implementations MAY fall back to Math.random, but SHOULD log a warning indicating reduced randomness quality.¶
The cross-domain token MUST be transported via URL hash fragment as the primary mechanism:¶
https://destination.example.com/page#nylo_token=<signed_token>¶
Hash fragments (the portion of a URL after "#") are processed entirely client-side per [RFC3986] Section 3.5. They are:¶
This provides a stronger privacy guarantee than URL query parameters, which are transmitted to the server and commonly logged.¶
If hash fragment transport is not feasible (e.g., the destination URL uses hash-based client-side routing), the token MAY be transported as a query parameter:¶
https://destination.example.com/page?nylo_token=<signed_token>¶
Implementations using query parameter transport SHOULD remove the token from the URL immediately after reading it, using the History API (history.replaceState) to clean the URL without triggering a page reload.¶
Implementations MUST accept both of the following parameter names for cross-domain tokens:¶
After reading a cross-domain token from the URL, the client MUST remove it from the URL to prevent:¶
The client SHOULD use history.replaceState to remove the token without causing a navigation event or page reload.¶
A cross-domain token encodes the following fields:¶
| Field | Description |
|---|---|
| waiTag | The pseudonymous identifier to transfer |
| sessionId | The session identifier from the origin domain |
| originDomain | The domain that issued the token |
| destinationDomain | The intended recipient domain |
| issuedAt | UTC timestamp of token creation |
| expiresAt | UTC timestamp of token expiry |
| signature | Server-generated signature (HMAC or implementation-defined) |
The token encoding format is implementation-defined. Common choices include JSON Web Tokens (JWT) [RFC7519] and opaque server-side tokens with a lookup key.¶
The verification server MUST check:¶
The verification server SHOULD also check:¶
The verification endpoint accepts a POST request with Content-Type application/json containing the token, the requesting domain, a customer identifier, and the HTTP Referer value.¶
Request body:¶
{
"token": "<signed_token>",
"domain": "destination.example.com",
"customerId": "<customer_id>",
"referrer": "https://origin.example.com/page"
}
¶
Success response:¶
{
"success": true,
"identity": {
"sessionId": "<session_id>",
"waiTag": "<wai_tag>",
"userId": null
}
}
¶
Failure response:¶
{
"success": false,
"error": "TOKEN_EXPIRED"
}
¶
The client SHOULD store identity data using multiple mechanisms for resilience against browser storage restrictions:¶
| Layer | Mechanism | Persistence | ITP Impact |
|---|---|---|---|
| 1 | First-party cookie | 24h (JS-set under ITP) | Capped at 7 days |
| 2 | localStorage | Until cleared | Partitioned by eTLD+1 |
| 3 | sessionStorage | Tab lifetime | Unaffected |
When restoring identity, the client reads in order: cookie, localStorage, sessionStorage. The first valid result is used.¶
The stored identity record contains:¶
{
"sessionId": "<secure_id>",
"waiTag": "<wai_tag>",
"userId": null,
"domain": "example.com",
"createdAt": "2026-02-20T12:00:00.000Z",
"integrity": "<hash>"
}
¶
The "integrity" field is a one-way hash of the session ID, domain, WaiTag, and customer ID, used to detect tampering.¶
Data stored in localStorage SHOULD be encoded with a customer-specific salt and timestamp to prevent casual inspection. This is obfuscation, not cryptographic security. The stored data contains no PII regardless of encoding.¶
Implementations MUST provide a consent API that integrates with Consent Management Platforms (CMPs). The API MUST support the following operations:¶
When consent is denied, the client MUST operate in anonymous mode with the following behavior:¶
When consent is granted after starting in anonymous mode:¶
WaiTags are designed to fall outside the GDPR [GDPR] definition of "personal data" as defined in Article 4(1) of Regulation (EU) 2016/679 because they contain no information derived from a natural person, cannot be reversed or cross-referenced to identify someone, and are not deterministic across sessions.¶
However, the classification of pseudonymous identifiers under data protection law varies by jurisdiction and is subject to evolving regulatory interpretation. Implementers SHOULD consult local legal counsel. The anonymous mode provides a conservative fallback for jurisdictions where pseudonymous identifiers may be considered personal data.¶
Servers implementing WTX-1 SHOULD set the following security-related response headers:¶
This document has no IANA actions.¶
If this protocol achieves broader adoption, the following registrations may be requested in future revisions:¶
WTX-1 is designed from the ground up to preserve user privacy while enabling cross-domain analytics. This section details the privacy properties, guarantees, and limitations of the protocol.¶
WaiTags are pseudonymous identifiers generated using cryptographically secure random number generators (window.crypto.getRandomValues). They contain no embedded personal information, device characteristics, or derivable real-world identity. A WaiTag cannot be reversed to identify a natural person without access to a separate mapping table, which the protocol does not define or require.¶
Under GDPR, pseudonymous identifiers are still considered personal data when they can be attributed to a natural person by using additional information. Implementors MUST ensure that any additional information that could link a WaiTag to a natural person is kept separately and subject to appropriate technical and organizational measures.¶
Implementations SHOULD provide users with clear mechanisms to:¶
When a user denies consent, the protocol MUST degrade gracefully to anonymous mode where no cross-domain tokens are generated or accepted, and only aggregate, non-identifiable analytics are collected.¶
The protocol follows the principle of data minimization as required by GDPR Article 5(1)(c). Cross-domain tokens contain only the minimum fields necessary for identity verification: a WaiTag, session identifier, optional user identifier, source domain, expiration timestamp, and cryptographic signature. No behavioral data, page content, or interaction history is included in the token.¶
Cross-domain identity sharing is limited to domains that have been explicitly authorized via DNS TXT records. This prevents a domain from being included in a tracking network without the domain owner's explicit consent. The DNS verification mechanism ensures that only organizations with administrative control over a domain can authorize it for cross-domain identity sharing.¶
Implementations MUST NOT allow wildcard domain authorization or open enrollment of domains into a tracking network.¶
WTX-1 is designed to operate within the following regulatory frameworks:¶
Implementors are responsible for ensuring their specific deployment complies with applicable local regulations, as the protocol alone does not guarantee regulatory compliance.¶
While WTX-1 provides strong privacy guarantees, the following residual risks should be acknowledged:¶
| Property | 3P Cookies | Fingerprinting | Login-Based | WTX-1 |
|---|---|---|---|---|
| Cross eTLD+1 | Yes (deprecated) | Yes | Yes | Yes |
| Requires login | No | No | Yes | No |
| Collects PII | Varies | Yes | Yes | No |
| Browser support | Declining | Declining | Universal | Universal |
| Consent required | Yes | Yes | Varies | Recommended |
| Works on Safari | No (ITP) | Partially | Yes | Yes (degraded) |
WTX-1 was developed as part of the Nylo project to address the analytics gap created by the deprecation of third-party cookies, with a focus on privacy-respecting solutions for regulated industries including healthcare, finance, and government.¶