Permissions Requested
The extension uses the Chrome activeTab
permission, which grants access to the
current tab only when you click the extension icon. Access is revoked as soon as you
navigate away or close the tab.
- activeTab — read the URL of the tab you clicked on, so we can pre-fill verification.
- storage — remember your sign-in token locally (encrypted at rest by Chrome).
- No host permissions — the extension does not inject scripts into arbitrary sites.
What We Access
When you click the extension icon on a page, the extension reads the current tab's URL so it can offer to verify any EngineeringID seal codes present in the address. It does not read page HTML, DOM content, cookies, local storage, forms, or input fields.
The extension does not activate automatically. No background script reads your browsing.
Local Storage
The extension uses Chrome's storage.local
API to persist your authentication
session. The token is a short-lived JWT scoped to the extension; it cannot be used to access
your account from anywhere else.
Network Requests
The only external endpoint the extension contacts is api.engineeringid.com. All traffic is TLS 1.3. We publish a Content Security Policy in the extension manifest that prevents accidental exfiltration to other hosts.
Removing the Extension
Uninstalling the extension removes all local data. To also invalidate the session server-side, sign out of your EngineeringID account. You can revoke active sessions from Account → Security → Devices at any time.