Skip to content

Request for feedback: /.well-known/recover-account proposal #701

Description

@felipecpaiva

Hello WebAppSec maintainers,

I am requesting early implementation feedback on a proposal to standardize account-recovery discovery using /.well-known/recover-account.

This proposal is in active pre-Internet-Draft preparation, with reference implementations and tests available.

Request for feedback:

  1. Are the endpoint and redirect semantics specific enough for interoperable client behavior?
  2. Are security requirements (anti-enumeration, rate limiting, same-origin constraints) adequate and practical?
  3. What adoption blockers do you foresee for browsers, identity providers, and password managers?

Primary discussion and response template:

Spec source:

Thank you for any review or directional guidance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions