FIDO2/WebAuthn PQC Developer Tools

Preparing application…

0%

FIDO2/WebAuthn PQC Developer Tools

Simple Authentication

Register and authenticate with passkeys using default presets.

Processing...

Saved Credentials

No credentials registered yet.

Advanced Authentication

Configure WebAuthn registration and authentication requests with detailed settings.

User Identity
Invalid hex value (1-64 bytes required)
Authenticator Selection
ENG
Select whether an authenticator integrated into the client platform ("platform") or an external device ("cross-platform") should be used. If unspecified, either kind of authenticator is allowed. By default, a cross-platform authenticator is requested.
ENG
A resident key can be used for "username-less" authentication, i.e., with an empty allowCredentials parameter.

If "discouraged", a non-resident key will be created if possible. If "preferred", a resident key will be created if possible. If "required", a resident key will be created and the user is shown an error if this fails. If unspecified, the default is "discouraged".
ENG
Select whether user verification (UV), for example a PIN or biometric, should be used.

If "discouraged", UV will not be used if possible. If "preferred", UV will be used if possible. If "required", UV will be used and the user is shown an error if this fails. If no preference is set, the default is "preferred".
ENG
Select whether the Relying Party (RP) requires authenticator attestation. Attestation is a way to prove what kind of authenticator is used.

If "none", no authenticator attestation will be returned. If "indirect", some kind of attestation will be returned if possible, but it may be anonymized by an attestation proxy. If "direct", the authenticator's original attestation will be returned, if any. If "enterprise", the authenticator is requested to produce an individually identifying attestation. By default, "direct" is used.
ENG
Whether to include an excludeCredentials argument. This is used to prevent creating multiple credentials for the same account by excluding already registered credentials during registration.
ENG
Add a random credential ID of the given length to excludeCredentials. May be useful for testing edge cases and conformance.
Other Options
ENG
The cryptographic challenge to be signed by the authenticator, used to prevent replay attacks.
Invalid hex value (minimum 16 bytes required)
ENG
How long the Relying Party (RP) is willing to wait for the registration ceremony to complete. If the registration ceremony takes longer than this (or the adjusted value, in case the client overrides it), the ceremony will be aborted with a timeout message shown to the user. This may be silently overridden by the client.
ENG
The signature algorithms supported by the Relying Party (RP). The authenticator will be choosing the most preferred algorithm that it supports. It is recommended to include at least ES256, EdDSA and RS256.
PQC
ENG
Registration hints to guide the user-agent in interacting with the user.

These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the Relying Party has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones.

Hints MAY contradict information contained in credential transports and authenticatorAttachment. When this occurs, the hints take precedence.
Extensions
ENG
Request the Credential Properties (credProps) extension. This extension may report properties such as whether a discoverable or non-discoverable credential was created.
ENG
Request the Minimum PIN Length Extension (minPinLength). This extension may report the authenticator's currently configured minimum PIN length if the Relying Party (RP) is authorized to receive this value.
ENG
Request the Credential protection (credProtect) extension. This extension sets whether the authenticator requires user verification (UV) before revealing the existence of a credential. If it does, that also means that the authenticator requires UV before allowing authentication using that credential.
ENG
Whether to enforce the selected credProtect policy, if any, meaning the registration should fail rather than create a credential that does not satisfy the credProtect policy.

If this is checked and credProtect is set to userVerificationOptionalWithCredentialIDList or userVerificationRequired, and the authenticator cannot satisfy that policy, then the registration will fail. If this is not checked, the registration MAY proceed even if the authenticator cannot satisfy the chosen policy.
ENG
Request the Large blob storage (largeBlob) extension. This extension may be used to store arbitrary data with the credential.

If the authenticator supports the extension, an extension output of largeBlob: { supported: true } will be returned. Use the largeBlob extension during an authentication ceremony to read or write the BLOB value.
ENG
Request the Pseudo-random function (prf) extension. This extension may be used to derive deterministically-random values to use as key material, for example.

With CTAP authenticators, this requires that the authenticator supports the hmac-secret extension.

Many authenticators support evaluating the PRF only in authentication ceremonies, in which case the PRF extension output is just prf: { enabled: true } without any PRF outputs. To evaluate the PRF, perform an authentication ceremony with the same PRF inputs.
ENG
The first prf extension input to evaluate. If set, the client extension outputs will include a prf.results.first output if the client and authenticator both support the extension.

Many authenticators support evaluating the PRF only in authentication ceremonies, in which case the PRF extension output is just prf: { enabled: true } without any PRF outputs. To evaluate the PRF, perform an authentication ceremony with the same PRF inputs.
Invalid hex value (exactly 32 bytes required)
ENG
The second prf extension input to evaluate. If set, the client extension outputs will include a prf.results.second output if the client and authenticator both support the extension.

This is optional and can be used alongside the first PRF evaluation input for additional key derivation capabilities.
Invalid hex value (exactly 32 bytes required)
Credential Selection
ENG
Select whether user verification (UV), for example a PIN or biometric, should be used.

If "discouraged", UV will not be used if possible. If "preferred", UV will be used if possible. If "required", UV will be used and the user is shown an error if this fails. If no preference is set, the default is "preferred".
ENG
Choose how to set the allowCredentials argument. This is used to select which credentials are eligible for this assertion, and to provide key handles for server-side credentials. This typically means that the user needs to be identified before issuing the WebAuthn challenge, so that the Relying Party (RP) can retrieve the correct allowCredentials values.

Select "All" to include all credentials registered in the session (see the pane on the right).

Select "Empty" to remove the allowCredentials argument. This means that only discoverable credentials can be used for the assertion.

Select a saved credential option to include only the specific chosen credential.
ENG
Add a random credential ID of the given length to allowCredentials. May be useful for testing edge cases and conformance.
Other Options
ENG
The cryptographic challenge to be signed by the authenticator, used to prevent replay attacks.
Invalid hex value (minimum 16 bytes required)
ENG
How long the Relying Party (RP) is willing to wait for the authentication ceremony to complete. If the authentication ceremony takes longer than this (or the adjusted value, in case the client overrides it), the ceremony will be aborted with a timeout message shown to the user. This may be silently overridden by the client.
ENG
Registration hints to guide the user-agent in interacting with the user.

These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the Relying Party has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones.

Hints MAY contradict information contained in credential transports and authenticatorAttachment. When this occurs, the hints take precedence.
Extensions
ENG
Request the Large blob storage (largeBlob) extension. This extension may be used to store arbitrary data with the credential.

If set to "read", the output will be of the form largeBlob: { blob: ArrayBuffer } if both client and authenticator support the extension and the authenticator contains a matching BLOB value. Otherwise the output will be largeBlob: {} if the client supports the extension.

If set to "write", the output will be largeBlob: { written: true } if the BLOB was successfully written to the authenticator, and otherwise largeBlob: { written: false } if the client supports the extension.

If the client does not support the extension, no largeBlob output will be present.
ENG
The BLOB value to write to the authenticator.
Invalid hex value
ENG
Request the Pseudo-random function (prf) extension and set the first prf extension input to evaluate. This extension may be used to derive deterministically-random values to use as key material, for example.

If set, the client extension outputs will include a prf.results.first output if the client and authenticator both support the extension.
Invalid hex value (exactly 32 bytes required)
ENG
The second prf extension input to evaluate. If set, the client extension outputs will include a prf.results.second output if the client and authenticator both support the extension.

A second output may be useful to rotate key material via a single WebAuthn ceremony.
Invalid hex value (exactly 32 bytes required)

Saved Credentials

No credentials registered yet.

JSON Editor

Processing...

Codec

Decode or encode WebAuthn payloads to inspect their underlying data formats.

Recognized formats:

  • PublicKeyCredential: JSON
  • attestationObject: binary (CBOR)
  • authenticatorData: binary
  • WebAuthn client data: JSON binary
  • X.509 certificate: PEM binary-wrapped PEM binary (DER)
  • JSON: plain binary
  • CBOR: binary CTAP/WebAuthn Data

All binary values may be base64, base64url, or hex, ignoring all whitespace.

Hex also ignores : characters.

Decoding...

Codec Output