Simple Authentication
Register and authenticate with passkeys using default presets.
Processing...
Saved Credentials
No credentials registered yet.
Advanced Authentication
Configure WebAuthn registration and authentication requests with detailed settings.
User Identity
Authenticator Selection
ENG
Select whether an authenticator integrated into the client platform ("platform") or an external device ("cross-platform") should be used. If unspecified, either kind of authenticator is allowed. By default, a cross-platform authenticator is requested.
选择是否使用集成在客户端平台中的认证器(“platform”)或外部设备(“cross-platform”)。如果未指定,允许使用任一类型的认证器。默认情况下,将请求 cross-platform 认证器。
ENG
A resident key can be used for "username-less" authentication, i.e., with an empty allowCredentials parameter.
If "discouraged", a non-resident key will be created if possible. If "preferred", a resident key will be created if possible. If "required", a resident key will be created and the user is shown an error if this fails. If unspecified, the default is "discouraged".
If "discouraged", a non-resident key will be created if possible. If "preferred", a resident key will be created if possible. If "required", a resident key will be created and the user is shown an error if this fails. If unspecified, the default is "discouraged".
常驻密钥可用于“无用户名”身份验证,即使用空的 allowCredentials 参数。
如果设为"discouraged",在可能的情况下将创建非常驻密钥。如果设为"preferred",在可能的情况下将创建常驻密钥。如果设为"required",将创建常驻密钥,失败时向用户显示错误。如果未指定(选择unspecified),将默认为"discouraged"。
如果设为"discouraged",在可能的情况下将创建非常驻密钥。如果设为"preferred",在可能的情况下将创建常驻密钥。如果设为"required",将创建常驻密钥,失败时向用户显示错误。如果未指定(选择unspecified),将默认为"discouraged"。
ENG
Select whether user verification (UV), for example a PIN or biometric, should be used.
If "discouraged", UV will not be used if possible. If "preferred", UV will be used if possible. If "required", UV will be used and the user is shown an error if this fails. If no preference is set, the default is "preferred".
If "discouraged", UV will not be used if possible. If "preferred", UV will be used if possible. If "required", UV will be used and the user is shown an error if this fails. If no preference is set, the default is "preferred".
选择是否应使用用户验证(UV),例如 PIN 或生物识别。
如果设为"discouraged",在可能的情况下不会使用 UV。如果设为"preferred",在可能的情况下会使用 UV。如果设为"required",会使用 UV,失败时向用户显示错误。如果未设置偏好,默认值为"preferred"。
如果设为"discouraged",在可能的情况下不会使用 UV。如果设为"preferred",在可能的情况下会使用 UV。如果设为"required",会使用 UV,失败时向用户显示错误。如果未设置偏好,默认值为"preferred"。
ENG
Select whether the Relying Party (RP) requires authenticator attestation. Attestation is a way to prove what kind of authenticator is used.
If "none", no authenticator attestation will be returned. If "indirect", some kind of attestation will be returned if possible, but it may be anonymized by an attestation proxy. If "direct", the authenticator's original attestation will be returned, if any. If "enterprise", the authenticator is requested to produce an individually identifying attestation. By default, "direct" is used.
If "none", no authenticator attestation will be returned. If "indirect", some kind of attestation will be returned if possible, but it may be anonymized by an attestation proxy. If "direct", the authenticator's original attestation will be returned, if any. If "enterprise", the authenticator is requested to produce an individually identifying attestation. By default, "direct" is used.
选择依赖方(RP)是否需要认证器证明。证明是一种证明使用何种认证器的方式。
如果选择"none",将不返回认证器证明。如果选择"indirect",在可能的情况下会返回某种证明,但可能被证明代理匿名化。如果选择"direct",将返回认证器的原始证明(如果有)。如果选择"enterprise",请求认证器产生个别标识证明。默认情况下,使用"direct"。
如果选择"none",将不返回认证器证明。如果选择"indirect",在可能的情况下会返回某种证明,但可能被证明代理匿名化。如果选择"direct",将返回认证器的原始证明(如果有)。如果选择"enterprise",请求认证器产生个别标识证明。默认情况下,使用"direct"。
ENG
Whether to include an excludeCredentials argument. This is used to prevent creating multiple credentials for the same account by excluding already registered credentials during registration.
是否包含 excludeCredentials 参数。这用于在注册过程中排除已注册的凭据,防止为同一账户创建多个凭据。
ENG
Add a random credential ID of the given length to excludeCredentials. May be useful for testing edge cases and conformance.
向 excludeCredentials 添加指定长度的随机凭据 ID。可能对测试个别情况和一致性有用。
Other Options
ENG
The cryptographic challenge to be signed by the authenticator, used to prevent replay attacks.
由认证器签名的加密挑战值,用于防止重放攻击。
Invalid hex value (minimum 16 bytes required)
ENG
How long the Relying Party (RP) is willing to wait for the registration ceremony to complete. If the registration ceremony takes longer than this (or the adjusted value, in case the client overrides it), the ceremony will be aborted with a timeout message shown to the user. This may be silently overridden by the client.
依赖方(RP)等待注册完成的时间。如果注册仪式超过此时间,注册将被中止并向用户显示超时消息。客户端可能会覆盖此设置。
ENG
The signature algorithms supported by the Relying Party (RP). The authenticator will be choosing the most preferred algorithm that it supports. It is recommended to include at least ES256, EdDSA and RS256.
依赖方(RP)支持的签名算法。认证器将选择它支持的最优先算法。建议至少包括 ES256、EdDSA 和 RS256。
PQC
ENG
Registration hints to guide the user-agent in interacting with the user.
These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the Relying Party has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones.
Hints MAY contradict information contained in credential transports and authenticatorAttachment. When this occurs, the hints take precedence.
These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the Relying Party has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones.
Hints MAY contradict information contained in credential transports and authenticatorAttachment. When this occurs, the hints take precedence.
注册提示用于指导用户代理与用户交互。
这些提示不是强制要求,也不约束用户代理,但可利用依赖方掌握的上下文信息,引导其提供最佳体验。提示按优先级从高到低排列,因此若两个提示相互矛盾,则以前面的提示为准。提示也可以有重叠:如果定义了更具体的提示,依赖方仍可同时发送不那么具体的提示,以便那些可能无法识别更具体提示的用户代理使用。在这种情况下,应先发送最具体的提示,再发送较不具体的提示。
提示可以与凭据传输方式和 authenticatorAttachment 中的信息相矛盾。如发生矛盾,应以提示为准。
这些提示不是强制要求,也不约束用户代理,但可利用依赖方掌握的上下文信息,引导其提供最佳体验。提示按优先级从高到低排列,因此若两个提示相互矛盾,则以前面的提示为准。提示也可以有重叠:如果定义了更具体的提示,依赖方仍可同时发送不那么具体的提示,以便那些可能无法识别更具体提示的用户代理使用。在这种情况下,应先发送最具体的提示,再发送较不具体的提示。
提示可以与凭据传输方式和 authenticatorAttachment 中的信息相矛盾。如发生矛盾,应以提示为准。
Extensions
ENG
Request the Credential Properties (credProps) extension. This extension may report properties such as whether a discoverable or non-discoverable credential was created.
请求凭据属性(credProps)扩展。此扩展可能报告属性,例如是否创建了可发现或不可发现的凭据。
ENG
Request the Minimum PIN Length Extension (minPinLength). This extension may report the authenticator's currently configured minimum PIN length if the Relying Party (RP) is authorized to receive this value.
请求最小 PIN 长度扩展(minPinLength)。如果依赖方(RP)被授权接收此值,此扩展可能报告认证器当前配置的最小 PIN 长度。
ENG
Request the Credential protection (credProtect) extension. This extension sets whether the authenticator requires user verification (UV) before revealing the existence of a credential. If it does, that also means that the authenticator requires UV before allowing authentication using that credential.
请求凭据保护(credProtect)扩展。此扩展设置认证器在显示凭据存在之前是否需要用户验证(UV)。如果需要,这也意味着认证器在允许使用该凭据进行身份验证之前需要 UV。
ENG
Whether to enforce the selected credProtect policy, if any, meaning the registration should fail rather than create a credential that does not satisfy the credProtect policy.
If this is checked and credProtect is set to userVerificationOptionalWithCredentialIDList or userVerificationRequired, and the authenticator cannot satisfy that policy, then the registration will fail. If this is not checked, the registration MAY proceed even if the authenticator cannot satisfy the chosen policy.
If this is checked and credProtect is set to userVerificationOptionalWithCredentialIDList or userVerificationRequired, and the authenticator cannot satisfy that policy, then the registration will fail. If this is not checked, the registration MAY proceed even if the authenticator cannot satisfy the chosen policy.
是否强制执行所选的 credProtect 策略(如果有),意味着注册应该失败而不是创建不满足 credProtect 策略的凭据。
如果选中此项且 credProtect 设置为 userVerificationOptionalWithCredentialIDList 或 userVerificationRequired,并且认证器无法满足该策略,则注册将失败。如果未选中,即使认证器无法满足所选策略,注册也可能继续。
如果选中此项且 credProtect 设置为 userVerificationOptionalWithCredentialIDList 或 userVerificationRequired,并且认证器无法满足该策略,则注册将失败。如果未选中,即使认证器无法满足所选策略,注册也可能继续。
ENG
Request the Large blob storage (largeBlob) extension. This extension may be used to store arbitrary data with the credential.
If the authenticator supports the extension, an extension output of largeBlob: { supported: true } will be returned. Use the largeBlob extension during an authentication ceremony to read or write the BLOB value.
If the authenticator supports the extension, an extension output of largeBlob: { supported: true } will be returned. Use the largeBlob extension during an authentication ceremony to read or write the BLOB value.
请求Large blob 存储(largeBlob)扩展。此扩展可用于在凭据中存储任意数据。
如果认证器支持此扩展,将返回 largeBlob: { supported: true } 的扩展输出。在身份验证仪式期间使用 largeBlob 扩展来读取或写入 BLOB 值。
如果认证器支持此扩展,将返回 largeBlob: { supported: true } 的扩展输出。在身份验证仪式期间使用 largeBlob 扩展来读取或写入 BLOB 值。
ENG
Request the Pseudo-random function (prf) extension. This extension may be used to derive deterministically-random values to use as key material, for example.
With CTAP authenticators, this requires that the authenticator supports the hmac-secret extension.
Many authenticators support evaluating the PRF only in authentication ceremonies, in which case the PRF extension output is just prf: { enabled: true } without any PRF outputs. To evaluate the PRF, perform an authentication ceremony with the same PRF inputs.
With CTAP authenticators, this requires that the authenticator supports the hmac-secret extension.
Many authenticators support evaluating the PRF only in authentication ceremonies, in which case the PRF extension output is just prf: { enabled: true } without any PRF outputs. To evaluate the PRF, perform an authentication ceremony with the same PRF inputs.
请求伪随机函数(prf)扩展。例如,此扩展可用于派生确定性随机值作为密钥材料。
对于 CTAP 认证器,这要求认证器支持 hmac-secret 扩展。
许多认证器仅支持在身份验证仪式中评估 PRF,在这种情况下,PRF 扩展输出只是 prf: { enabled: true },没有任何 PRF 输出。要评估 PRF,请使用相同的 PRF 输入执行身份验证仪式。
对于 CTAP 认证器,这要求认证器支持 hmac-secret 扩展。
许多认证器仅支持在身份验证仪式中评估 PRF,在这种情况下,PRF 扩展输出只是 prf: { enabled: true },没有任何 PRF 输出。要评估 PRF,请使用相同的 PRF 输入执行身份验证仪式。
ENG
The first prf extension input to evaluate. If set, the client extension outputs will include a prf.results.first output if the client and authenticator both support the extension.
Many authenticators support evaluating the PRF only in authentication ceremonies, in which case the PRF extension output is just prf: { enabled: true } without any PRF outputs. To evaluate the PRF, perform an authentication ceremony with the same PRF inputs.
Many authenticators support evaluating the PRF only in authentication ceremonies, in which case the PRF extension output is just prf: { enabled: true } without any PRF outputs. To evaluate the PRF, perform an authentication ceremony with the same PRF inputs.
要评估的第一个 prf 扩展输入。如果设置,如果客户端和认证器都支持该扩展,客户端扩展输出将包含 prf.results.first 输出。
许多认证器仅支持在身份验证仪式中评估 PRF,在这种情况下,PRF 扩展输出只是 prf: { enabled: true },没有任何 PRF 输出。要评估 PRF,请使用相同的 PRF 输入执行身份验证仪式。
许多认证器仅支持在身份验证仪式中评估 PRF,在这种情况下,PRF 扩展输出只是 prf: { enabled: true },没有任何 PRF 输出。要评估 PRF,请使用相同的 PRF 输入执行身份验证仪式。
Invalid hex value (exactly 32 bytes required)
ENG
The second prf extension input to evaluate. If set, the client extension outputs will include a prf.results.second output if the client and authenticator both support the extension.
This is optional and can be used alongside the first PRF evaluation input for additional key derivation capabilities.
This is optional and can be used alongside the first PRF evaluation input for additional key derivation capabilities.
要评估的第二个 prf 扩展输入。如果设置,如果客户端和认证器都支持该扩展,客户端扩展输出将包含 prf.results.second 输出。
这是可选的,可以与第一个 PRF 评估输入一起使用,以获得额外的密钥派生功能。
这是可选的,可以与第一个 PRF 评估输入一起使用,以获得额外的密钥派生功能。
Invalid hex value (exactly 32 bytes required)
Credential Selection
ENG
Select whether user verification (UV), for example a PIN or biometric, should be used.
If "discouraged", UV will not be used if possible. If "preferred", UV will be used if possible. If "required", UV will be used and the user is shown an error if this fails. If no preference is set, the default is "preferred".
If "discouraged", UV will not be used if possible. If "preferred", UV will be used if possible. If "required", UV will be used and the user is shown an error if this fails. If no preference is set, the default is "preferred".
选择是否应使用用户验证(UV),例如 PIN 或生物识别。
如果设为"discouraged",在可能的情况下不会使用 UV。如果设为"preferred",在可能的情况下会使用 UV。如果设为"required",将使用 UV,失败时向用户显示错误。如果未设置偏好,默认值为"preferred"。
如果设为"discouraged",在可能的情况下不会使用 UV。如果设为"preferred",在可能的情况下会使用 UV。如果设为"required",将使用 UV,失败时向用户显示错误。如果未设置偏好,默认值为"preferred"。
ENG
Choose how to set the allowCredentials argument. This is used to select which credentials are eligible for this assertion, and to provide key handles for server-side credentials. This typically means that the user needs to be identified before issuing the WebAuthn challenge, so that the Relying Party (RP) can retrieve the correct allowCredentials values.
Select "All" to include all credentials registered in the session (see the pane on the right).
Select "Empty" to remove the allowCredentials argument. This means that only discoverable credentials can be used for the assertion.
Select a saved credential option to include only the specific chosen credential.
Select "All" to include all credentials registered in the session (see the pane on the right).
Select "Empty" to remove the allowCredentials argument. This means that only discoverable credentials can be used for the assertion.
Select a saved credential option to include only the specific chosen credential.
选择如何设置 allowCredentials 参数。这用于选择哪些凭据符合此断言条件,并为服务器端凭据提供密钥句柄。这通常意味着在发出 WebAuthn 挑战之前需要识别用户,以便依赖方(RP)可以检索正确的 allowCredentials 值。
选择"All"以包含会话中注册的所有凭据(请参见右侧窗格)。
选择"Empty"以删除 allowCredentials 参数。这意味着只有可发现的凭据可用于断言。
选择保存的凭据选项以仅包含特定选择的凭据。
选择"All"以包含会话中注册的所有凭据(请参见右侧窗格)。
选择"Empty"以删除 allowCredentials 参数。这意味着只有可发现的凭据可用于断言。
选择保存的凭据选项以仅包含特定选择的凭据。
ENG
Add a random credential ID of the given length to allowCredentials. May be useful for testing edge cases and conformance.
向 allowCredentials 添加给定长度的随机凭据 ID。可能对测试边缘情况和合规性有用。
Other Options
ENG
The cryptographic challenge to be signed by the authenticator, used to prevent replay attacks.
要由认证器签名的加密挑战,用于防止重放攻击。
Invalid hex value (minimum 16 bytes required)
ENG
How long the Relying Party (RP) is willing to wait for the authentication ceremony to complete. If the authentication ceremony takes longer than this (or the adjusted value, in case the client overrides it), the ceremony will be aborted with a timeout message shown to the user. This may be silently overridden by the client.
依赖方(RP)等待身份验证完成的时间。如果身份验证时间超过此值,验证过程将被中止,并向用户显示超时消息。时间数值可能会被客户端静默覆盖。
ENG
Registration hints to guide the user-agent in interacting with the user.
These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the Relying Party has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones.
Hints MAY contradict information contained in credential transports and authenticatorAttachment. When this occurs, the hints take precedence.
These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the Relying Party has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones.
Hints MAY contradict information contained in credential transports and authenticatorAttachment. When this occurs, the hints take precedence.
注册提示用于指导用户代理与用户交互。
这些提示不是强制要求,也不约束用户代理,但可利用依赖方掌握的上下文信息,引导其提供最佳体验。提示按优先级从高到低排列,因此若两个提示相互矛盾,则以前面的提示为准。提示也可以有重叠:如果定义了更具体的提示,依赖方仍可同时发送不那么具体的提示,以便那些可能无法识别更具体提示的用户代理使用。在这种情况下,应先发送最具体的提示,再发送较不具体的提示。
提示可以与凭据传输方式和 authenticatorAttachment 中的信息相矛盾。如发生矛盾,应以提示为准。
这些提示不是强制要求,也不约束用户代理,但可利用依赖方掌握的上下文信息,引导其提供最佳体验。提示按优先级从高到低排列,因此若两个提示相互矛盾,则以前面的提示为准。提示也可以有重叠:如果定义了更具体的提示,依赖方仍可同时发送不那么具体的提示,以便那些可能无法识别更具体提示的用户代理使用。在这种情况下,应先发送最具体的提示,再发送较不具体的提示。
提示可以与凭据传输方式和 authenticatorAttachment 中的信息相矛盾。如发生矛盾,应以提示为准。
ENG
The hashing algorithm to use when hashing the client data JSON during assertion verification. This is a developer tool feature that allows testing different hash algorithms in the signature verification process.
在断言验证期间对客户端数据 JSON 进行哈希处理时使用的哈希算法。这是一个开发者工具功能,允许在签名验证过程中测试不同的哈希算法。
Extensions
ENG
Request the Large blob storage (largeBlob) extension. This extension may be used to store arbitrary data with the credential.
If set to "read", the output will be of the form largeBlob: { blob: ArrayBuffer } if both client and authenticator support the extension and the authenticator contains a matching BLOB value. Otherwise the output will be largeBlob: {} if the client supports the extension.
If set to "write", the output will be largeBlob: { written: true } if the BLOB was successfully written to the authenticator, and otherwise largeBlob: { written: false } if the client supports the extension.
If the client does not support the extension, no largeBlob output will be present.
If set to "read", the output will be of the form largeBlob: { blob: ArrayBuffer } if both client and authenticator support the extension and the authenticator contains a matching BLOB value. Otherwise the output will be largeBlob: {} if the client supports the extension.
If set to "write", the output will be largeBlob: { written: true } if the BLOB was successfully written to the authenticator, and otherwise largeBlob: { written: false } if the client supports the extension.
If the client does not support the extension, no largeBlob output will be present.
请求Large blob 存储(largeBlob)扩展。此扩展可用于与凭据一起存储任意数据。
如果设置为"read",如果客户端和认证器都支持该扩展且认证器包含匹配的 BLOB 值,输出将为 largeBlob: { blob: ArrayBuffer }。否则,如果客户端支持该扩展,输出将为 largeBlob: {}。
如果设置为"write",如果 BLOB 成功写入认证器,输出将为 largeBlob: { written: true },否则如果客户端支持该扩展,将为 largeBlob: { written: false }。
如果客户端不支持该扩展,将不存在 largeBlob 输出。
如果设置为"read",如果客户端和认证器都支持该扩展且认证器包含匹配的 BLOB 值,输出将为 largeBlob: { blob: ArrayBuffer }。否则,如果客户端支持该扩展,输出将为 largeBlob: {}。
如果设置为"write",如果 BLOB 成功写入认证器,输出将为 largeBlob: { written: true },否则如果客户端支持该扩展,将为 largeBlob: { written: false }。
如果客户端不支持该扩展,将不存在 largeBlob 输出。
No largeBlob capable credentials available
ENG
The BLOB value to write to the authenticator.
要写入认证器的 BLOB 值。
Invalid hex value
ENG
Request the Pseudo-random function (prf) extension and set the first prf extension input to evaluate. This extension may be used to derive deterministically-random values to use as key material, for example.
If set, the client extension outputs will include a prf.results.first output if the client and authenticator both support the extension.
If set, the client extension outputs will include a prf.results.first output if the client and authenticator both support the extension.
请求伪随机函数(prf)扩展并设置要评估的第一个 prf 扩展输入。例如,此扩展可用于派生确定性随机值作为密钥材料。
如果设置,如果客户端和认证器都支持该扩展,客户端扩展输出将包含 prf.results.first 输出。
如果设置,如果客户端和认证器都支持该扩展,客户端扩展输出将包含 prf.results.first 输出。
Invalid hex value (exactly 32 bytes required)
Selected credential does not support the prf extension.
ENG
The second prf extension input to evaluate. If set, the client extension outputs will include a prf.results.second output if the client and authenticator both support the extension.
A second output may be useful to rotate key material via a single WebAuthn ceremony.
A second output may be useful to rotate key material via a single WebAuthn ceremony.
要评估的第二个 prf 扩展输入。如果设置,如果客户端和认证器都支持该扩展,客户端扩展输出将包含 prf.results.second 输出。
第二个输出可能有助于通过单个 WebAuthn 仪式轮换密钥材料。
第二个输出可能有助于通过单个 WebAuthn 仪式轮换密钥材料。
Invalid hex value (exactly 32 bytes required)
Saved Credentials
No credentials registered yet.
JSON Editor
Processing...
Codec
Decode or encode WebAuthn payloads to inspect their underlying data formats.
Supported Inputs:
- JSON: PublicKeyCredential (registration) PublicKeyCredential (authentication) Generic JSON payloads
- JSON (binary): clientDataJSON Generic JSON payloads
- CBOR: Attestation objects CTAP makeCredential request CTAP makeCredential response CTAP getAssertion request CTAP getAssertion response Generic CBOR payloads
- Binary: Authenticator data Signature fields Unclassified binary summaries
- PEM: X.509 certificates Certificate chains
- DER: X.509 certificates
Decoding...
Codec Output
Encoding...