<!doctype html><html lang="en-US" prefix="og: https://ogp.me/ns#"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="https://developer.mozilla.org/favicon-48x48.bc390275e955dacb2e65.png"/><link rel="apple-touch-icon" href="https://developer.mozilla.org/apple-touch-icon.528534bba673c38049c2.png"/><meta name="theme-color" content="#ffffff"/><link rel="manifest" href="https://developer.mozilla.org/manifest.f42880861b394dd4dc9b.json"/><link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="MDN Web Docs"/><title>Web Authentication API - Web APIs | MDN</title><link rel="alternate" title="Web Authentication API" href="https://developer.mozilla.org/de/docs/Web/API/Web_Authentication_API" hrefLang="de"/><link rel="alternate" title="API Web Authentication" href="https://developer.mozilla.org/fr/docs/Web/API/Web_Authentication_API" hrefLang="fr"/><link rel="alternate" title="ウェブ認証 API" href="https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API" hrefLang="ja"/><link rel="alternate" title="Web Authentication API" href="https://developer.mozilla.org/zh-CN/docs/Web/API/Web_Authentication_API" hrefLang="zh"/><link rel="alternate" title="Web Authentication API" href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API" hrefLang="en"/><link rel="preload" as="font" type="font/woff2" href="/static/media/Inter.var.c2fe3cb2b7c746f7966a.woff2" crossorigin=""/><link rel="alternate" type="application/rss+xml" title="MDN Blog RSS Feed" href="https://developer.mozilla.org/en-US/blog/rss.xml" hrefLang="en"/><meta name="description" content="The Web Authentication API (WebAuthn) is an extension of the Credential Management API that enables strong authentication with public key cryptography, enabling passwordless authentication and secure multi-factor authentication (MFA) without SMS texts."/><meta property="og:url" content="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API"/><meta property="og:title" content="Web Authentication API - Web APIs | MDN"/><meta property="og:type" content="website"/><meta property="og:locale" content="en_US"/><meta property="og:description" content="The Web Authentication API (WebAuthn) is an extension of the Credential Management API that enables strong authentication with public key cryptography, enabling passwordless authentication and secure multi-factor authentication (MFA) without SMS texts."/><meta property="og:image" content="https://developer.mozilla.org/mdn-social-share.d893525a4fb5fb1f67a2.png"/><meta property="og:image:type" content="image/png"/><meta property="og:image:height" content="1080"/><meta property="og:image:width" content="1920"/><meta property="og:image:alt" content="The MDN Web Docs logo, featuring a blue accent color, displayed on a solid black background."/><meta property="og:site_name" content="MDN Web Docs"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:creator" content="MozDevNet"/><link rel="canonical" href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API"/><style media="print">.article-actions-container,.document-toc-container,.language-menu,.main-menu-toggle,.on-github,.page-footer,.place,.sidebar,.top-banner,.top-navigation-main,ul.prev-next{display:none!important}.main-page-content,.main-page-content pre{padding:2px}.main-page-content pre{border-left-width:2px}</style><script src="/static/js/gtag.js" defer=""></script><script defer="" src="/static/js/main.95536068.js"></script><link href="/static/css/main.959b5ea9.css" rel="stylesheet"/></head><body><script>if(document.body.addEventListener("load",(t=>{t.target.classList.contains("interactive")&&t.target.setAttribute("data-readystate","complete")}),{capture:!0}),window&&document.documentElement){const t={light:"#ffffff",dark:"#1b1b1b"};try{const e=window.localStorage.getItem("theme");e&&(document.documentElement.className=e,document.documentElement.style.backgroundColor=t[e]);const o=window.localStorage.getItem("nop");o&&(document.documentElement.dataset.nop=o)}catch(t){console.warn("Unable to read theme from localStorage",t)}}</script><div id="root"><ul id="nav-access" class="a11y-nav"><li><a id="skip-main" href="#content">Skip to main content</a></li><li><a id="skip-search" href="#top-nav-search-input">Skip to search</a></li><li><a id="skip-select-language" href="#languages-switcher-button">Skip to select language</a></li></ul><div class="page-wrapper category-api document-page"><div class="top-banner loading"><section class="place top container"></section></div><div class="sticky-header-container"><header class="top-navigation "><div class="container "><div class="top-navigation-wrap"><a href="/en-US/" class="logo" aria-label="MDN homepage"><svg id="mdn-docs-logo" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 694.9 104.4" style="enable-background:new 0 0 694.9 104.4" xml:space="preserve" role="img"><title>MDN Web Docs</title><path d="M40.3 0 11.7 92.1H0L28.5 0h11.8zm10.4 0v92.1H40.3V0h10.4zM91 0 62.5 92.1H50.8L79.3 0H91zm10.4 0v92.1H91V0h10.4z" class="logo-m"></path><path d="M627.9 95.6h67v8.8h-67v-8.8z" class="logo-_"></path><path d="M367 42h-4l-10.7 30.8h-5.5l-10.8-26h-.4l-10.5 26h-5.2L308.7 42h-3.8v-5.6H323V42h-6.5l6.8 20.4h.4l10.3-26h4.7l11.2 26h.5l5.7-20.3h-6.2v-5.6H367V42zm34.9 20c-.4 3.2-2 5.9-4.7 8.2-2.8 2.3-6.5 3.4-11.3 3.4-5.4 0-9.7-1.6-13.1-4.7-3.3-3.2-5-7.7-5-13.7 0-5.7 1.6-10.3 4.7-14s7.4-5.5 12.9-5.5c5.1 0 9.1 1.6 11.9 4.7s4.3 6.9 4.3 11.3c0 1.5-.2 3-.5 4.7h-25.6c.3 7.7 4 11.6 10.9 11.6 2.9 0 5.1-.7 6.5-2 1.5-1.4 2.5-3 3-4.9l6 .9zM394 51.3c.2-2.4-.4-4.7-1.8-6.9s-3.8-3.3-7-3.3c-3.1 0-5.3 1-6.9 3-1.5 2-2.5 4.4-2.8 7.2H394zm51 2.4c0 5-1.3 9.5-4 13.7s-6.9 6.2-12.7 6.2c-6 0-10.3-2.2-12.7-6.7-.1.4-.2 1.4-.4 2.9s-.3 2.5-.4 2.9h-7.3c.3-1.7.6-3.5.8-5.3.3-1.8.4-3.7.4-5.5V22.3h-6v-5.6H416v27c1.1-2.2 2.7-4.1 4.7-5.7 2-1.6 4.8-2.4 8.4-2.4 4.6 0 8.4 1.6 11.4 4.7 3 3.2 4.5 7.6 4.5 13.4zm-7.7.6c0-4.2-1-7.4-3-9.5-2-2.2-4.4-3.3-7.4-3.3-3.4 0-6 1.2-8 3.7-1.9 2.4-2.9 5-3 7.7V57c0 3 1 5.6 3 7.7s4.5 3.1 7.6 3.1c3.6 0 6.3-1.3 8.1-3.9 1.8-2.7 2.7-5.9 2.7-9.6zm69.2 18.5h-13.2v-7.2c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2 5.7 0 9.8 2.2 12.3 6.5V22.3h-8.6v-5.6h15.8v50.6h6v5.5zM493.2 56v-4.4c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm53.1-1.4c0 5.6-1.8 10.2-5.3 13.7s-8.2 5.3-13.9 5.3-10.1-1.7-13.4-5.1c-3.3-3.4-5-7.9-5-13.5 0-5.3 1.6-9.9 4.7-13.7 3.2-3.8 7.9-5.7 14.2-5.7s11 1.9 14.1 5.7c3 3.7 4.6 8.1 4.6 13.3zm-7.7-.2c0-4-1-7.2-3-9.5s-4.8-3.5-8.2-3.5c-3.6 0-6.4 1.2-8.3 3.7s-2.9 5.6-2.9 9.5c0 3.7.9 6.8 2.8 9.4 1.9 2.6 4.6 3.9 8.3 3.9 3.6 0 6.4-1.3 8.4-3.8 1.9-2.6 2.9-5.8 2.9-9.7zm45 5.8c-.4 3.2-1.9 6.3-4.4 9.1-2.5 2.9-6.4 4.3-11.8 4.3-5.2 0-9.4-1.6-12.6-4.8-3.2-3.2-4.8-7.7-4.8-13.7 0-5.5 1.6-10.1 4.7-13.9 3.2-3.8 7.6-5.7 13.2-5.7 2.3 0 4.6.3 6.7.8 2.2.5 4.2 1.5 6.2 2.9l1.5 9.5-5.9.7-1.3-6.1c-2.1-1.2-4.5-1.8-7.2-1.8-3.5 0-6.1 1.2-7.7 3.7-1.7 2.5-2.5 5.7-2.5 9.6 0 4.1.9 7.3 2.7 9.5 1.8 2.3 4.4 3.4 7.8 3.4 5.2 0 8.2-2.9 9.2-8.8l6.2 1.3zm34.7 1.9c0 3.6-1.5 6.5-4.6 8.5s-7 3-11.7 3c-5.7 0-10.6-1.2-14.6-3.6l1.2-8.8 5.7.6-.2 4.7c1.1.5 2.3.9 3.6 1.1s2.6.3 3.9.3c2.4 0 4.5-.4 6.5-1.3 1.9-.9 2.9-2.2 2.9-4.1 0-1.8-.8-3.1-2.3-3.8s-3.5-1.3-5.8-1.7-4.6-.9-6.9-1.4c-2.3-.6-4.2-1.6-5.7-2.9-1.6-1.4-2.3-3.5-2.3-6.3 0-4.1 1.5-6.9 4.6-8.5s6.4-2.4 9.9-2.4c2.6 0 5 .3 7.2.9 2.2.6 4.3 1.4 6.1 2.4l.8 8.8-5.8.7-.8-5.7c-2.3-1-4.7-1.6-7.2-1.6-2.1 0-3.7.4-5.1 1.1-1.3.8-2 2-2 3.8 0 1.7.8 2.9 2.3 3.6 1.5.7 3.4 1.2 5.7 1.6 2.2.4 4.5.8 6.7 1.4 2.2.6 4.1 1.6 5.7 3 1.4 1.6 2.2 3.7 2.2 6.6zM197.6 73.2h-17.1v-5.5h3.8V51.9c0-3.7-.7-6.3-2.1-7.9-1.4-1.6-3.3-2.3-5.7-2.3-3.2 0-5.6 1.1-7.2 3.4s-2.4 4.6-2.5 6.9v15.6h6v5.5h-17.1v-5.5h3.8V51.9c0-3.8-.7-6.4-2.1-7.9-1.4-1.5-3.3-2.3-5.6-2.3-3.2 0-5.5 1.1-7.2 3.3-1.6 2.2-2.4 4.5-2.5 6.9v15.8h6.9v5.5h-20.2v-5.5h6V42.4h-6.1v-5.6h13.4v6.4c1.2-2.1 2.7-3.8 4.7-5.2 2-1.3 4.4-2 7.3-2s5.3.7 7.5 2.1c2.2 1.4 3.7 3.5 4.5 6.4 1.1-2.5 2.7-4.5 4.9-6.1s4.8-2.4 7.9-2.4c3.5 0 6.5 1.1 8.9 3.3s3.7 5.6 3.7 10.2v18.2h6.1v5.5zm42.5 0h-13.2V66c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2s9.8 2.2 12.3 6.5V22.7h-8.6v-5.6h15.8v50.6h6v5.5zm-13.3-16.8V52c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm61.5 16.8H269v-5.5h6V51.9c0-3.7-.7-6.3-2.2-7.9-1.4-1.6-3.4-2.3-5.7-2.3-3.1 0-5.6 1-7.4 3s-2.8 4.4-2.9 7v15.9h6v5.5h-19.3v-5.5h6V42.4h-6.2v-5.6h13.6V43c2.6-4.6 6.8-6.9 12.7-6.9 3.6 0 6.7 1.1 9.2 3.3s3.7 5.6 3.7 10.2v18.2h6v5.4h-.2z" class="logo-text"></path></svg></a><button title="Open main menu" type="button" class="button action has-icon main-menu-toggle" aria-haspopup="menu" aria-label="Open main menu" aria-expanded="false"><span class="button-wrap"><span class="icon icon-menu "></span><span class="visually-hidden">Open main menu</span></span></button></div><div class="top-navigation-main"><nav class="main-nav" aria-label="Main menu"><ul class="main-menu nojs"><li class="top-level-entry-container active"><button type="button" id="references-button" class="top-level-entry menu-toggle" aria-controls="references-menu" aria-expanded="false">References</button><a href="/en-US/docs/Web" class="top-level-entry">References</a><ul id="references-menu" class="submenu references hidden inline-submenu-lg" aria-labelledby="references-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Web/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Structure of content on the web</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Web/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Code used to describe document style</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Web/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">General-purpose scripting language</p></div></a></li><li class="http-link-container "><a href="/en-US/docs/Web/HTTP" class="submenu-item "><div class="submenu-icon http"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP</div><p class="submenu-item-description">Protocol for transmitting web resources</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Web/API" class="submenu-item "><div class="submenu-icon apis"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web APIs</div><p class="submenu-item-description">Interfaces for building web applications</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Extensions</div><p class="submenu-item-description">Developing extensions for web browsers</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="guides-button" class="top-level-entry menu-toggle" aria-controls="guides-menu" aria-expanded="false">Guides</button><a href="/en-US/docs/Learn" class="top-level-entry">Guides</a><ul id="guides-menu" class="submenu guides hidden inline-submenu-lg" aria-labelledby="guides-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Learn/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Learn to structure web content with HTML</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Learn/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Learn to style content using CSS</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Learn/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">Learn to run scripts in the browser</p></div></a></li><li class=" "><a href="/en-US/docs/Web/Accessibility" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Accessibility</div><p class="submenu-item-description">Learn to make the web accessible to all</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="mdn-plus-button" class="top-level-entry menu-toggle" aria-controls="mdn-plus-menu" aria-expanded="false">Plus</button><a href="/en-US/plus" class="top-level-entry">Plus</a><ul id="mdn-plus-menu" class="submenu mdn-plus hidden inline-submenu-lg" aria-labelledby="mdn-plus-button"><li class=" "><a href="/en-US/plus" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview</div><p class="submenu-item-description">A customized MDN experience</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li><li class=" "><a href="/en-US/plus/updates" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Updates</div><p class="submenu-item-description">All browser compatibility updates at a glance</p></div></a></li><li class=" "><a href="/en-US/plus/docs/features/overview" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Documentation</div><p class="submenu-item-description">Learn how to use MDN Plus</p></div></a></li><li class=" "><a href="/en-US/plus/docs/faq" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">FAQ</div><p class="submenu-item-description">Frequently asked questions about MDN Plus</p></div></a></li></ul></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/curriculum/">Curriculum <sup class="new">New</sup></a></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/blog/">Blog</a></li><li class="top-level-entry-container "><button type="button" id="tools-button" class="top-level-entry menu-toggle" aria-controls="tools-menu" aria-expanded="false">Tools</button><ul id="tools-menu" class="submenu tools hidden inline-submenu-lg" aria-labelledby="tools-button"><li class=" "><a href="/en-US/play" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Playground</div><p class="submenu-item-description">Write, test and share your code</p></div></a></li><li class=" "><a href="/en-US/observatory" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP Observatory</div><p class="submenu-item-description">Scan a website for free</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li></ul></li></ul></nav><div class="header-search"><form action="/en-US/search" class="search-form search-widget" id="top-nav-search-form" role="search"><label id="top-nav-search-label" for="top-nav-search-input" class="visually-hidden">Search MDN</label><input aria-activedescendant="" aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-expanded="false" aria-labelledby="top-nav-search-label" autoComplete="off" id="top-nav-search-input" role="combobox" type="search" class="search-input-field" name="q" placeholder="   " required="" value=""/><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button><div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div></form></div><div class="theme-switcher-menu"><button type="button" class="button action has-icon theme-switcher-menu small" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-theme-os-default "></span>Theme</span></button></div><ul class="auth-container"><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FAPI%2FWeb_Authentication_API" class="login-link" rel="nofollow">Log in</a></li><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FAPI%2FWeb_Authentication_API" target="_self" rel="nofollow" class="button primary mdn-plus-subscribe-link"><span class="button-wrap">Sign up for free</span></a></li></ul></div></div></header><div class="article-actions-container"><div class="container"><button type="button" class="button action has-icon sidebar-button" aria-label="Expand sidebar" aria-expanded="false" aria-controls="sidebar-quicklinks"><span class="button-wrap"><span class="icon icon-sidebar "></span></span></button><nav class="breadcrumbs-container" aria-label="Breadcrumb"><ol typeof="BreadcrumbList" vocab="https://schema.org/" aria-label="breadcrumbs"><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web" class="breadcrumb" property="item" typeof="WebPage"><span property="name">References</span></a><meta property="position" content="1"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/API" class="breadcrumb" property="item" typeof="WebPage"><span property="name">Web APIs</span></a><meta property="position" content="2"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/API/Web_Authentication_API" class="breadcrumb-current-page" property="item" typeof="WebPage"><span property="name">Web Authentication API</span></a><meta property="position" content="3"/></li></ol></nav><div class="article-actions"><button type="button" class="button action has-icon article-actions-toggle" aria-label="Article actions"><span class="button-wrap"><span class="icon icon-ellipses "></span><span class="article-actions-dialog-heading">Article Actions</span></span></button><ul class="article-actions-entries"><li class="article-actions-entry"><div class="languages-switcher-menu open-on-focus-within"><button id="languages-switcher-button" type="button" class="button action small has-icon languages-switcher-menu" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-language "></span>English (US)</span></button><div class="hidden"><ul class="submenu language-menu " aria-labelledby="language-menu-button"><li class=" "><form class="submenu-item locale-redirect-setting"><div class="group"><label class="switch"><input type="checkbox" name="locale-redirect"/><span class="slider"></span><span class="label">Remember language</span></label><a href="https://github.com/orgs/mdn/discussions/739" rel="external noopener noreferrer" target="_blank" title="Enable this setting to automatically switch to this language when it&#x27;s available. (Click to learn more.)"><span class="icon icon-question-mark "></span></a></div></form></li><li class=" "><a data-locale="de" href="/de/docs/Web/API/Web_Authentication_API" class="button submenu-item"><span>Deutsch</span><span title="Diese Übersetzung ist Teil eines Experiments."><span class="icon icon-experimental "></span></span></a></li><li class=" "><a data-locale="fr" href="/fr/docs/Web/API/Web_Authentication_API" class="button submenu-item"><span>Français</span></a></li><li class=" "><a data-locale="ja" href="/ja/docs/Web/API/Web_Authentication_API" class="button submenu-item"><span>日本語</span></a></li><li class=" "><a data-locale="zh-CN" href="/zh-CN/docs/Web/API/Web_Authentication_API" class="button submenu-item"><span>中文 (简体)</span></a></li></ul></div></div></li></ul></div></div></div></div><div class="main-wrapper"><div class="sidebar-container"><aside id="sidebar-quicklinks" class="sidebar" data-macro="DefaultAPISidebar"><button type="button" class="button action backdrop" aria-label="Collapse sidebar"><span class="button-wrap"></span></button><nav aria-label="Related Topics" class="sidebar-inner"><header class="sidebar-actions"><section class="sidebar-filter-container"><div class="sidebar-filter "><label id="sidebar-filter-label" class="sidebar-filter-label" for="sidebar-filter-input"><span class="icon icon-filter"></span><span class="visually-hidden">Filter sidebar</span></label><input id="sidebar-filter-input" autoComplete="off" class="sidebar-filter-input-field false" type="text" placeholder="Filter" value=""/><button type="button" class="button action has-icon clear-sidebar-filter-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear filter input</span></span></button></div></section></header><div class="sidebar-inner-nav"><div class="in-nav-toc"><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#webauthn_concepts_and_usage">WebAuthn concepts and usage</a></li><li class="document-toc-item "><a class="document-toc-link" href="#controlling_access_to_the_api">Controlling access to the API</a></li><li class="document-toc-item "><a class="document-toc-link" href="#interfaces">Interfaces</a></li><li class="document-toc-item "><a class="document-toc-link" href="#extensions_to_other_interfaces">Extensions to other interfaces</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li></ul></section></div></div><div class="sidebar-body"><ol><li class="section"><em><a href="/en-US/docs/Web/API/Web_Authentication_API" aria-current="page">Web Authentication API</a></em></li><li class="toggle"><details open=""><summary>Guides</summary><ol><li><a href="/en-US/docs/Web/API/Web_Authentication_API/Attestation_and_Assertion">Attestation and Assertion</a></li><li><a href="/en-US/docs/Web/API/Web_Authentication_API/Authenticator_data">Authenticator data</a></li><li><a href="/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions">Web Authentication extensions</a></li></ol></details></li><li class="toggle"><details open=""><summary>Interfaces</summary><ol><li><a href="/en-US/docs/Web/API/PublicKeyCredential"><code>PublicKeyCredential</code></a></li><li><a href="/en-US/docs/Web/API/PublicKeyCredentialCreationOptions"><code>PublicKeyCredentialCreationOptions</code></a></li><li><a href="/en-US/docs/Web/API/PublicKeyCredentialRequestOptions"><code>PublicKeyCredentialRequestOptions</code></a></li><li><a href="/en-US/docs/Web/API/AuthenticatorResponse"><code>AuthenticatorResponse</code></a></li><li><a href="/en-US/docs/Web/API/AuthenticatorAttestationResponse"><code>AuthenticatorAttestationResponse</code></a></li><li><a href="/en-US/docs/Web/API/AuthenticatorAssertionResponse"><code>AuthenticatorAssertionResponse</code></a></li></ol></details></li><li class="toggle"><details open=""><summary>Methods</summary><ol><li><a href="/en-US/docs/Web/API/CredentialsContainer/create"><code>CredentialsContainer.create()</code></a></li><li><a href="/en-US/docs/Web/API/CredentialsContainer/get"><code>CredentialsContainer.get()</code></a></li></ol></details></li></ol></div></div><section class="place side"></section></nav></aside><div class="toc-container"><aside class="toc"><nav><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#webauthn_concepts_and_usage">WebAuthn concepts and usage</a></li><li class="document-toc-item "><a class="document-toc-link" href="#controlling_access_to_the_api">Controlling access to the API</a></li><li class="document-toc-item "><a class="document-toc-link" href="#interfaces">Interfaces</a></li><li class="document-toc-item "><a class="document-toc-link" href="#extensions_to_other_interfaces">Extensions to other interfaces</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li></ul></section></div></nav></aside><section class="place side"></section></div></div><main id="content" class="main-content "><article class="main-page-content" lang="en-US"><header><h1>Web Authentication API</h1><details class="baseline-indicator high"><summary><span class="indicator" role="img" aria-label="Baseline Check"></span><h2>Baseline<!-- --> <span class="not-bold">Widely available</span></h2><div class="browsers"><span class="engine" title="Supported in Chrome and Edge"><span class="browser chrome supported" role="img" aria-label="Chrome check"></span><span class="browser edge supported" role="img" aria-label="Edge check"></span></span><span class="engine" title="Supported in Firefox"><span class="browser firefox supported" role="img" aria-label="Firefox check"></span></span><span class="engine" title="Supported in Safari"><span class="browser safari supported" role="img" aria-label="Safari check"></span></span></div><span class="icon icon-chevron "></span></summary><div class="extra"><p>This feature is well established and works across many devices and browser versions. It’s been available across browsers since<!-- --> <!-- -->September 2021<!-- -->.</p><ul><li><a href="/en-US/docs/Glossary/Baseline/Compatibility" data-glean="baseline_link_learn_more" target="_blank" class="learn-more">Learn more</a></li><li><a href="#browser_compatibility" data-glean="baseline_link_bcd_table">See full compatibility</a></li><li><a href="https://survey.alchemer.com/s3/7634825/MDN-baseline-feedback?page=%2Fen-US%2Fdocs%2FWeb%2FAPI%2FWeb_Authentication_API&amp;level=high" data-glean="baseline_link_feedback" class="feedback-link" target="_blank" rel="noreferrer">Report feedback</a></li></ul></div></details></header><div class="section-content"><div class="notecard secure"><p><strong>Secure context:</strong> This feature is available only in <a href="/en-US/docs/Web/Security/Secure_Contexts">secure contexts</a> (HTTPS), in some or all <a href="#browser_compatibility">supporting browsers</a>.</p></div> <p>The Web Authentication API (WebAuthn) is an extension of the <a href="/en-US/docs/Web/API/Credential_Management_API">Credential Management API</a> that enables strong authentication with public key cryptography, enabling passwordless authentication and secure multi-factor authentication (MFA) without SMS texts.</p> <div class="notecard note"> <p><strong>Note:</strong> <a href="https://passkeys.dev/" class="external" target="_blank">Passkeys</a> are a significant use case for web authentication; see <a href="https://web.dev/articles/passkey-registration" class="external" target="_blank">Create a passkey for passwordless logins</a> and <a href="https://web.dev/articles/passkey-form-autofill" class="external" target="_blank">Sign in with a passkey through form autofill</a> for implementation details. See also <a href="https://developers.google.com/identity/passkeys" class="external" target="_blank">Google Identity &gt; Passwordless login with passkeys</a>.</p> </div></div><section aria-labelledby="webauthn_concepts_and_usage"><h2 id="webauthn_concepts_and_usage"><a href="#webauthn_concepts_and_usage">WebAuthn concepts and usage</a></h2><div class="section-content"><p>WebAuthn uses <a href="https://en.wikipedia.org/wiki/Public-key_cryptography" class="external" target="_blank">asymmetric (public-key) cryptography</a> instead of passwords or SMS texts for registering, authenticating, and <a href="https://en.wikipedia.org/wiki/Multi-factor_authentication" class="external" target="_blank">multi-factor authentication</a> with websites. This has some benefits:</p> <ul> <li><strong>Protection against phishing:</strong> An attacker who creates a fake login website can't login as the user because the signature changes with the <a href="/en-US/docs/Glossary/Origin">origin</a> of the website.</li> <li><strong>Reduced impact of data breaches:</strong> Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key.</li> <li><strong>Invulnerable to password attacks:</strong> Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a digital signature.</li> </ul> <p>Many websites already have pages that allow users to register new accounts or sign into an existing account, and WebAuthn acts as a replacement or enhancement for the authentication part of the system. It extends the <a href="/en-US/docs/Web/API/Credential_Management_API">Credential Management API</a>, abstracting communication between the user agent and an authenticator and providing the following new functionality:</p> <ul> <li>When <a href="/en-US/docs/Web/API/CredentialsContainer/create" title="navigator.credentials.create()"><code>navigator.credentials.create()</code></a> is used with the <code>publicKey</code> option, the user agent creates new credentials via an authenticator — either for registering a new account or for associating a new asymmetric key pair with an existing account. <ul> <li>When registering a new account, these credentials are stored on a server (also referred to as a service or a <a href="https://en.wikipedia.org/wiki/Relying_party" class="external" target="_blank">relying party</a>) and can be subsequently used to log a user in.</li> <li>The asymmetric key pair is stored in the authenticator, which can then be used to authenticate a user with a relying party for example during MFA. The authenticator may be embedded into the user agent, into an operating system, such as Windows Hello, or it may be a physical token, such as a USB or Bluetooth Security Key.</li> </ul> </li> <li>When <a href="/en-US/docs/Web/API/CredentialsContainer/get" title="navigator.credentials.get()"><code>navigator.credentials.get()</code></a> is used with the <code>publicKey</code> option, the user agent uses an existing set of credentials to authenticate to a relying party (either as the primary login or to provide an additional factor during MFA as described above).</li> </ul> <p>In their most basic forms, both <code>create()</code> and <code>get()</code> receive a very large random number called the "challenge" from the server and return the challenge signed by the private key back to the server. This proves to the server that a user has the private key required for authentication without revealing any secrets over the network.</p> <div class="notecard note"> <p><strong>Note:</strong> The "challenge" must be a buffer of random information at least 16 bytes in size.</p> </div></div></section><section aria-labelledby="creating_a_key_pair_and_registering_a_user"><h3 id="creating_a_key_pair_and_registering_a_user"><a href="#creating_a_key_pair_and_registering_a_user">Creating a key pair and registering a user</a></h3><div class="section-content"><p>To illustrate how the credential creation process works, let's describe the typical flow that occurs when a user wants to register a credential to a relying party:</p> <ol> <li> <p>The relying party server sends user and relying party information to the web app handling the registration process, along with the "challenge", using an appropriate secure mechanism (for example <a href="/en-US/docs/Web/API/Fetch_API">Fetch</a> or <a href="/en-US/docs/Web/API/XMLHttpRequest">XMLHttpRequest</a>).</p> <div class="notecard note"> <p> <strong>Note:</strong> The format for sharing information between the relying party server and the web app is up to the application. A recommended approach is to exchange <a href="/en-US/docs/Glossary/JSON_type_representation">JSON type representation</a> objects for credentials and credential options. Convenience methods have been created in <code>PublicKeyCredential</code> for converting from the JSON representations to the form required by the authentication APIs: <a href="/en-US/docs/Web/API/PublicKeyCredential/parseCreationOptionsFromJSON_static" title="parseCreationOptionsFromJSON()"><code>parseCreationOptionsFromJSON()</code></a>, <a href="/en-US/docs/Web/API/PublicKeyCredential/parseRequestOptionsFromJSON_static" title="parseRequestOptionsFromJSON()"><code>parseRequestOptionsFromJSON()</code></a> and <a href="/en-US/docs/Web/API/PublicKeyCredential/toJSON"><code>PublicKeyCredential.toJSON()</code></a>. </p> </div> </li> <li> <p>The web app initiates generation of a new credential via the authenticator, on behalf of the relying party, via a <a href="/en-US/docs/Web/API/CredentialsContainer/create" title="navigator.credentials.create()"><code>navigator.credentials.create()</code></a> call. This call is passed a <code>publicKey</code> option specifying device capabilities, e.g., whether the device provides its own user authentication (for example with biometrics).</p> <p>A typical <code>create()</code> call might look like so:</p> <div class="code-example"><div class="example-header"><span class="language-name">js</span></div><pre class="brush: js notranslate"><code>let credential = await navigator.credentials.create({ publicKey: { challenge: new Uint8Array([117, 61, 252, 231, 191, 241, ...]), rp: { id: "acme.com", name: "ACME Corporation" }, user: { id: new Uint8Array([79, 252, 83, 72, 214, 7, 89, 26]), name: "jamiedoe", displayName: "Jamie Doe" }, pubKeyCredParams: [ {type: "public-key", alg: -7} ] } }); </code></pre></div> <p>The parameters of the <code>create()</code> call are passed to the authenticator, along with a SHA-256 hash that is signed to ensure that it isn't tampered with.</p> </li> <li> <p>After the authenticator obtains user consent, it generates a key pair and returns the public key and optional signed attestation to the web app. This is provided when the <a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise"><code>Promise</code></a> returned by the <code>create()</code> call fulfills, in the form of a <a href="/en-US/docs/Web/API/PublicKeyCredential"><code>PublicKeyCredential</code></a> object instance (the <a href="/en-US/docs/Web/API/PublicKeyCredential/response"><code>PublicKeyCredential.response</code></a> property contains the attestation information).</p> </li> <li> <p>The web app forwards the <a href="/en-US/docs/Web/API/PublicKeyCredential"><code>PublicKeyCredential</code></a> to the server, again using an appropriate mechanism.</p> </li> <li> <p>The server stores the public key, coupled with the user identity, to remember the credential for future authentications. During this process, it performs a series of checks to ensure that the registration was complete and not tampered with. These include:</p> <ol> <li>Verifying that the challenge is the same as the challenge that was sent.</li> <li>Ensuring that the origin was the origin expected.</li> <li>Validating that the signature and attestation are using the correct certificate chain for the specific model of the authenticator used to generated the key par in the first place.</li> </ol> </li> </ol> <div class="notecard warning"> <p><strong>Warning:</strong> Attestation provides a way for a relying party to determine the provenance of an authenticator. Relying parties should not attempt to maintain allowlists of authenticators.</p> </div></div></section><section aria-labelledby="authenticating_a_user"><h3 id="authenticating_a_user"><a href="#authenticating_a_user">Authenticating a user</a></h3><div class="section-content"><p>After a user has registered with WebAuthn, they can authenticate (i.e., login) with the service. The authentication flow looks similar to the registration flow, the main differences being that authentication:</p> <ol> <li>Doesn't require user or relying party information</li> <li>Creates an assertion using the previously-generated key pair for the service, rather than the authenticator's key pair.</li> </ol> <p>A typical authentication flow is as follows:</p> <ol> <li> <p>The relying party generates a "challenge" and sends it to the user agent using an appropriate secure mechanism, along with a list of relying party and user credentials. It can also indicate where to look for the credential, e.g., on a local built-in authenticator, or on an external one over USB, BLE, etc.</p> </li> <li> <p>The browser asks the authenticator to sign the challenge via a <a href="/en-US/docs/Web/API/CredentialsContainer/get" title="navigator.credentials.get()"><code>navigator.credentials.get()</code></a> call, which is passed the credentials in a <code>publicKey</code> option.</p> <p>A typical <code>get()</code> call might look like so:</p> <div class="code-example"><div class="example-header"><span class="language-name">js</span></div><pre class="brush: js notranslate"><code>let credential = await navigator.credentials.get({ publicKey: { challenge: new Uint8Array([139, 66, 181, 87, 7, 203, ...]), rpId: "acme.com", allowCredentials: [{ type: "public-key", id: new Uint8Array([64, 66, 25, 78, 168, 226, 174, ...]) }], userVerification: "required", } }); </code></pre></div> <p>The parameters of the <code>get()</code> call are passed to the authenticator to handle the authentication.</p> </li> <li> <p>If the authenticator contains one of the given credentials and is able to successfully sign the challenge, it returns a signed assertion to the web app after receiving user consent. This is provided when the <a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise"><code>Promise</code></a> returned by the <code>get()</code> call fulfills, in the form of a <a href="/en-US/docs/Web/API/PublicKeyCredential"><code>PublicKeyCredential</code></a> object instance (the <a href="/en-US/docs/Web/API/PublicKeyCredential/response"><code>PublicKeyCredential.response</code></a> property contains the assertion information).</p> </li> <li> <p>The web app forwards the signed assertion to the relying party server for the relying party to validate. The validation checks include:</p> <ol> <li>Using the public key that was stored during the registration request to validate the signature by the authenticator.</li> <li>Ensuring that the challenge that was signed by the authenticator matches the challenge that was generated by the server.</li> <li>Checking that the Relying Party ID is the one expected for this service.</li> </ol> </li> <li> <p>Once verified by the server, the authentication flow is considered successful.</p> </li> </ol></div></section><section aria-labelledby="controlling_access_to_the_api"><h2 id="controlling_access_to_the_api"><a href="#controlling_access_to_the_api">Controlling access to the API</a></h2><div class="section-content"><p>The availability of WebAuthn can be controlled using a <a href="/en-US/docs/Web/HTTP/Permissions_Policy">Permissions Policy</a>, specifying two directives in particular:</p> <ul> <li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create"><code>publickey-credentials-create</code></a>: Controls the availability of <a href="/en-US/docs/Web/API/CredentialsContainer/create" title="navigator.credentials.create()"><code>navigator.credentials.create()</code></a> with the <code>publicKey</code> option.</li> <li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get"><code>publickey-credentials-get</code></a>: Controls the availability of <a href="/en-US/docs/Web/API/CredentialsContainer/get" title="navigator.credentials.get()"><code>navigator.credentials.get()</code></a> with the <code>publicKey</code> option.</li> </ul> <p> Both directives have a default allowlist value of <code>"self"</code>, meaning that by default these methods can be used in top-level document contexts. In addition, <code>get()</code> can be used in nested browsing contexts loaded from the same origin as the top-most document. <code>get()</code> and <code>create()</code> can be used in nested browsing contexts loaded from the different origins to the top-most document (i.e. in cross-origin <code>&lt;iframes&gt;</code>), if allowed by the <a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get"><code>publickey-credentials-get</code></a> and <a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create"><code>publickey-credentials-create</code></a> <code>Permission-Policy</code> directives, respectively. For cross-origin <code>create()</code> calls, where the permission was granted by <a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy#iframes"><code>allow=</code> on an iframe</a>, the frame must also have <a href="/en-US/docs/Glossary/Transient_activation">Transient activation</a>. </p> <div class="notecard note"> <p><strong>Note:</strong> Where a policy forbids use of these methods, the <a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise">promises</a> returned by them will reject with a <code>NotAllowedError</code> <a href="/en-US/docs/Web/API/DOMException"><code>DOMException</code></a>.</p> </div></div></section><section aria-labelledby="basic_access_control"><h3 id="basic_access_control"><a href="#basic_access_control">Basic access control</a></h3><div class="section-content"><p>If you wish to allow access to a specific subdomain only, you could provide it like this:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Permissions-Policy: publickey-credentials-get=("https://subdomain.example.com") Permissions-Policy: publickey-credentials-create=("https://subdomain.example.com") </code></pre></div></div></section><section aria-labelledby="allowing_embedded_create_and_get_calls_in_an_iframe"><h3 id="allowing_embedded_create_and_get_calls_in_an_iframe"><a href="#allowing_embedded_create_and_get_calls_in_an_iframe">Allowing embedded <code>create</code> and <code>get()</code> calls in an <code>&lt;iframe&gt;</code></a></h3><div class="section-content"><p>If you wish to authenticate with <code>get()</code> or <code>create()</code> in an <code>&lt;iframe&gt;</code>, there are a couple of steps to follow:</p> <ol> <li> <p>The site embedding the relying party site must provide permission via an <code>allow</code> attribute:</p> <ul> <li> <p>If using <code>get()</code>:</p> <div class="code-example"><div class="example-header"><span class="language-name">html</span></div><pre class="brush: html notranslate"><code>&lt;iframe src="https://auth.provider.com" allow="publickey-credentials-get *"&gt; &lt;/iframe&gt; </code></pre></div> </li> <li> <p>If using <code>create()</code>:</p> <div class="code-example"><div class="example-header"><span class="language-name">html</span></div><pre class="brush: html notranslate"><code>&lt;iframe src="https://auth.provider.com" allow="publickey-credentials-create 'self' https://a.auth.provider.com https://b.auth.provider.com"&gt; &lt;/iframe&gt; </code></pre></div> <p>The <code>&lt;iframe&gt;</code> must also have <a href="/en-US/docs/Glossary/Transient_activation">Transient activation</a> if <code>create()</code> is called cross-origin.</p> </li> </ul> </li> <li> <p>The relying party site must provide permission for the above access via a <code>Permissions-Policy</code> header:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Permissions-Policy: publickey-credentials-get=* Permissions-Policy: publickey-credentials-create=* </code></pre></div> <p>Or to allow only a specific URL to embed the relying party site in an <code>&lt;iframe&gt;</code>:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Permissions-Policy: publickey-credentials-get=("https://subdomain.example.com") Permissions-Policy: publickey-credentials-create=("https://*.auth.provider.com") </code></pre></div> </li> </ol></div></section><section aria-labelledby="interfaces"><h2 id="interfaces"><a href="#interfaces">Interfaces</a></h2><div class="section-content"><dl> <dt id="authenticatorassertionresponse"><a href="/en-US/docs/Web/API/AuthenticatorAssertionResponse"><code>AuthenticatorAssertionResponse</code></a></dt> <dd> <p>Provides proof to a service that an authenticator has the necessary key pair to successfully handle an authentication request initiated by a <a href="/en-US/docs/Web/API/CredentialsContainer/get"><code>CredentialsContainer.get()</code></a> call. Available in the <a href="/en-US/docs/Web/API/PublicKeyCredential/response" title="response"><code>response</code></a> property of the <a href="/en-US/docs/Web/API/PublicKeyCredential"><code>PublicKeyCredential</code></a> instance obtained when the <code>get()</code> <a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise"><code>Promise</code></a> fulfills.</p> </dd> <dt id="authenticatorattestationresponse"><a href="/en-US/docs/Web/API/AuthenticatorAttestationResponse"><code>AuthenticatorAttestationResponse</code></a></dt> <dd> <p>The result of a WebAuthn credential registration (i.e., a <a href="/en-US/docs/Web/API/CredentialsContainer/create"><code>CredentialsContainer.create()</code></a> call). It contains information about the credential that the server needs to perform WebAuthn assertions, such as its credential ID and public key. Available in the <a href="/en-US/docs/Web/API/PublicKeyCredential/response" title="response"><code>response</code></a> property of the <a href="/en-US/docs/Web/API/PublicKeyCredential"><code>PublicKeyCredential</code></a> instance obtained when the <code>create()</code> <a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise"><code>Promise</code></a> fulfills.</p> </dd> <dt id="authenticatorresponse"><a href="/en-US/docs/Web/API/AuthenticatorResponse"><code>AuthenticatorResponse</code></a></dt> <dd> <p>The base interface for <a href="/en-US/docs/Web/API/AuthenticatorAttestationResponse"><code>AuthenticatorAttestationResponse</code></a> and <a href="/en-US/docs/Web/API/AuthenticatorAssertionResponse"><code>AuthenticatorAssertionResponse</code></a>.</p> </dd> <dt id="publickeycredential"><a href="/en-US/docs/Web/API/PublicKeyCredential"><code>PublicKeyCredential</code></a></dt> <dd> <p>Provides information about a public key / private key pair, which is a credential for logging in to a service using an un-phishable and data-breach resistant asymmetric key pair instead of a password. Obtained when the <a href="/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise"><code>Promise</code></a> returned via a <a href="/en-US/docs/Web/API/CredentialsContainer/create" title="create()"><code>create()</code></a> or <a href="/en-US/docs/Web/API/CredentialsContainer/get" title="get()"><code>get()</code></a> call fulfills.</p> </dd> </dl></div></section><section aria-labelledby="extensions_to_other_interfaces"><h2 id="extensions_to_other_interfaces"><a href="#extensions_to_other_interfaces">Extensions to other interfaces</a></h2><div class="section-content"><dl> <dt id="credentialscontainer.create"><a href="/en-US/docs/Web/API/CredentialsContainer/create"><code>CredentialsContainer.create()</code></a>, the <code>publicKey</code> option</dt> <dd> <p>Calling <code>create()</code> with a <code>publicKey</code> option initiates the creation of new asymmetric key credentials via an authenticator, as explained above.</p> </dd> <dt id="credentialscontainer.get"><a href="/en-US/docs/Web/API/CredentialsContainer/get"><code>CredentialsContainer.get()</code></a>, the <code>publicKey</code> option</dt> <dd> <p>Calling <code>get()</code> with a <code>publicKey</code> option instructs the user agent uses an existing set of credentials to authenticate to a relying party.</p> </dd> </dl></div></section><section aria-labelledby="examples"><h2 id="examples"><a href="#examples">Examples</a></h2><div class="section-content"></div></section><section aria-labelledby="demo_sites"><h3 id="demo_sites"><a href="#demo_sites">Demo sites</a></h3><div class="section-content"><ul> <li><a href="https://webauthn.bin.coffee/" class="external" target="_blank">Mozilla Demo</a> website and its <a href="https://github.com/jcjones/webauthn.bin.coffee" class="external" target="_blank">source code</a>.</li> <li><a href="https://try-webauthn.appspot.com/" class="external" target="_blank">Google Demo</a> website and its <a href="https://github.com/google/webauthndemo" class="external" target="_blank">source code</a>.</li> <li><a href="https://webauthn.io/" class="external" target="_blank">WebAuthn.io demo</a> website and its <a href="https://github.com/duo-labs/webauthn.io" class="external" target="_blank">source code</a>.</li> <li><a href="https://github.com/webauthn-open-source" class="external" target="_blank">github.com/webauthn-open-source</a> and its <a href="https://github.com/webauthn-open-source/webauthn-simple-app" class="external" target="_blank">client source code</a> and <a href="https://github.com/webauthn-open-source/fido2-lib" class="external" target="_blank">server source code</a></li> </ul></div></section><section aria-labelledby="usage_example"><h3 id="usage_example"><a href="#usage_example">Usage example</a></h3><div class="section-content"><div class="notecard note"> <p><strong>Note:</strong> For security reasons, the Web Authentication API calls (<a href="/en-US/docs/Web/API/CredentialsContainer/create" title="create()"><code>create()</code></a> and <a href="/en-US/docs/Web/API/CredentialsContainer/get" title="get()"><code>get()</code></a>) are canceled if the browser window loses focus while the call is pending.</p> </div> <div class="code-example"><div class="example-header"><span class="language-name">js</span></div><pre class="brush: js notranslate"><code>// sample arguments for registration const createCredentialDefaultArgs = { publicKey: { // Relying Party (a.k.a. - Service): rp: { name: "Acme", }, // User: user: { id: new Uint8Array(16), name: "carina.p.anand@example.com", displayName: "Carina P. Anand", }, pubKeyCredParams: [ { type: "public-key", alg: -7, }, ], attestation: "direct", timeout: 60000, challenge: new Uint8Array([ // must be a cryptographically random number sent from a server 0x8c, 0x0a, 0x26, 0xff, 0x22, 0x91, 0xc1, 0xe9, 0xb9, 0x4e, 0x2e, 0x17, 0x1a, 0x98, 0x6a, 0x73, 0x71, 0x9d, 0x43, 0x48, 0xd5, 0xa7, 0x6a, 0x15, 0x7e, 0x38, 0x94, 0x52, 0x77, 0x97, 0x0f, 0xef, ]).buffer, }, }; // sample arguments for login const getCredentialDefaultArgs = { publicKey: { timeout: 60000, // allowCredentials: [newCredential] // see below challenge: new Uint8Array([ // must be a cryptographically random number sent from a server 0x79, 0x50, 0x68, 0x71, 0xda, 0xee, 0xee, 0xb9, 0x94, 0xc3, 0xc2, 0x15, 0x67, 0x65, 0x26, 0x22, 0xe3, 0xf3, 0xab, 0x3b, 0x78, 0x2e, 0xd5, 0x6f, 0x81, 0x26, 0xe2, 0xa6, 0x01, 0x7d, 0x74, 0x50, ]).buffer, }, }; // register / create a new credential navigator.credentials .create(createCredentialDefaultArgs) .then((cred) =&gt; { console.log("NEW CREDENTIAL", cred); // normally the credential IDs available for an account would come from a server // but we can just copy them from above… const idList = [ { id: cred.rawId, transports: ["usb", "nfc", "ble"], type: "public-key", }, ]; getCredentialDefaultArgs.publicKey.allowCredentials = idList; return navigator.credentials.get(getCredentialDefaultArgs); }) .then((assertion) =&gt; { console.log("ASSERTION", assertion); }) .catch((err) =&gt; { console.log("ERROR", err); }); </code></pre></div></div></section><h2 id="specifications"><a href="#specifications">Specifications</a></h2><table class="standard-table"><thead><tr><th scope="col">Specification</th></tr></thead><tbody><tr><td><a href="https://w3c.github.io/webauthn/#iface-pkcredential">Web Authentication: An API for accessing Public Key Credentials - Level 3<!-- --> <br/><small># <!-- -->iface-pkcredential</small></a></td></tr></tbody></table><h2 id="browser_compatibility"><a href="#browser_compatibility">Browser compatibility</a></h2><p>BCD tables only load in the browser<noscript> <!-- -->with JavaScript enabled. Enable JavaScript to view data.</noscript></p></article><aside class="article-footer"><div class="article-footer-inner"><div class="svg-container"><svg xmlns="http://www.w3.org/2000/svg" width="162" height="162" viewBox="0 0 162 162" fill="none" role="none"><mask id="b" fill="#fff"><path d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z"></path></mask><path stroke="url(#a)" stroke-dasharray="6, 6" stroke-width="2" d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z" mask="url(#b)" style="stroke:url(#a)" transform="translate(-63.992 -25.587)"></path><ellipse cx="8.066" cy="111.597" fill="var(--background-tertiary)" rx="53.677" ry="53.699" transform="matrix(.71707 -.697 .7243 .6895 0 0)"></ellipse><g clip-path="url(#c)" transform="translate(-63.992 -25.587)"><path fill="#9abff5" d="m144.256 137.379 32.906 12.434a4.41 4.41 0 0 1 2.559 5.667l-9.326 24.679a4.41 4.41 0 0 1-5.667 2.559l-8.226-3.108-2.332 6.17c-.466 1.233-.375 1.883-1.609 1.417l-2.253-.527c-.411-.155-.95-.594-1.206-1.161l-4.734-10.484-12.545-4.741a4.41 4.41 0 0 1-2.559-5.667l9.325-24.679a4.41 4.41 0 0 1 5.667-2.559m9.961 29.617 8.227 3.108 3.264-8.638-.498-6.768-4.113-1.555.548 7.258-4.319-1.632zm-12.339-4.663 8.226 3.108 3.264-8.637-.498-6.769-4.113-1.554.548 7.257-4.319-1.632z"></path></g><g clip-path="url(#d)" transform="translate(-63.992 -25.587)"><path fill="#81b0f3" d="M135.35 60.136 86.67 41.654c-3.346-1.27-7.124.428-8.394 3.775L64.414 81.938c-1.27 3.347.428 7.125 3.774 8.395l12.17 4.62-3.465 9.128c-.693 1.826-1.432 2.457.394 3.15l3.014 1.625c.609.231 1.637.274 2.477-.104l15.53-6.983 18.56 7.047c3.346 1.27 7.124-.428 8.395-3.775l13.862-36.51c1.27-3.346-.428-7.124-3.775-8.395M95.261 83.207l-12.17-4.62 4.852-12.779 7.19-7.017 6.085 2.31-7.725 7.51 6.389 2.426zm18.255 6.93-12.17-4.62 4.852-12.778 7.189-7.017 6.085 2.31-7.725 7.51 6.39 2.426z"></path></g><defs><clipPath id="c"><path fill="#fff" d="m198.638 146.586-65.056-24.583-24.583 65.057 65.056 24.582z"></path></clipPath><clipPath id="d"><path fill="#fff" d="m66.438 14.055 96.242 36.54-36.54 96.243-96.243-36.54z"></path></clipPath><linearGradient id="a" x1="97.203" x2="199.995" y1="47.04" y2="152.793" gradientUnits="userSpaceOnUse"><stop stop-color="#086DFC"></stop><stop offset="0.246" stop-color="#2C81FA"></stop><stop offset="0.516" stop-color="#5497F8"></stop><stop offset="0.821" stop-color="#80B0F6"></stop><stop offset="1" stop-color="#9ABFF5"></stop></linearGradient></defs></svg></div><h2>Help improve MDN</h2><fieldset class="feedback"><label>Was this page helpful to you?</label><div class="button-container"><button type="button" class="button primary has-icon yes"><span class="button-wrap"><span class="icon icon-thumbs-up "></span>Yes</span></button><button type="button" class="button primary has-icon no"><span class="button-wrap"><span class="icon icon-thumbs-down "></span>No</span></button></div></fieldset><a class="contribute" href="https://github.com/mdn/content/blob/main/CONTRIBUTING.md" title="This will take you to our contribution guidelines on GitHub." target="_blank" rel="noopener noreferrer">Learn how to contribute</a>.<p class="last-modified-date">This page was last modified on<!-- --> <time dateTime="2024-07-26T15:38:03.000Z">Jul 26, 2024</time> by<!-- --> <a href="/en-US/docs/Web/API/Web_Authentication_API/contributors.txt" rel="nofollow">MDN contributors</a>.</p><div id="on-github" class="on-github"><a href="https://github.com/mdn/content/blob/main/files/en-us/web/api/web_authentication_api/index.md?plain=1" title="Folder: en-us/web/api/web_authentication_api (Opens in a new tab)" target="_blank" rel="noopener noreferrer">View this page on GitHub</a> <!-- -->•<!-- --> <a href="https://github.com/mdn/content/issues/new?template=page-report.yml&amp;mdn-url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FAPI%2FWeb_Authentication_API&amp;metadata=%3C%21--+Do+not+make+changes+below+this+line+--%3E%0A%3Cdetails%3E%0A%3Csummary%3EPage+report+details%3C%2Fsummary%3E%0A%0A*+Folder%3A+%60en-us%2Fweb%2Fapi%2Fweb_authentication_api%60%0A*+MDN+URL%3A+https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FAPI%2FWeb_Authentication_API%0A*+GitHub+URL%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fblob%2Fmain%2Ffiles%2Fen-us%2Fweb%2Fapi%2Fweb_authentication_api%2Findex.md%0A*+Last+commit%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fcommit%2F216794e76611c18e53222bb8efa570e898e990de%0A*+Document+last+modified%3A+2024-07-26T15%3A38%3A03.000Z%0A%0A%3C%2Fdetails%3E" title="This will take you to GitHub to file a new issue." target="_blank" rel="noopener noreferrer">Report a problem with this content</a></div></div></aside></main></div></div><footer id="nav-footer" class="page-footer"><div class="page-footer-grid"><div class="page-footer-logo-col"><a href="/" class="mdn-footer-logo" aria-label="MDN homepage"><svg width="48" height="17" viewBox="0 0 48 17" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mdn-footer-logo-svg">MDN logo</title><path d="M20.04 16.512H15.504V10.416C15.504 9.488 15.344 8.824 15.024 8.424C14.72 8.024 14.264 7.824 13.656 7.824C12.92 7.824 12.384 8.064 12.048 8.544C11.728 9.024 11.568 9.64 11.568 10.392V14.184H13.008V16.512H8.472V10.416C8.472 9.488 8.312 8.824 7.992 8.424C7.688 8.024 7.232 7.824 6.624 7.824C5.872 7.824 5.336 8.064 5.016 8.544C4.696 9.024 4.536 9.64 4.536 10.392V14.184H6.6V16.512H0V14.184H1.44V8.04H0.024V5.688H4.536V7.32C5.224 6.088 6.32 5.472 7.824 5.472C8.608 5.472 9.328 5.664 9.984 6.048C10.64 6.432 11.096 7.016 11.352 7.8C11.992 6.248 13.168 5.472 14.88 5.472C15.856 5.472 16.72 5.776 17.472 6.384C18.224 6.992 18.6 7.936 18.6 9.216V14.184H20.04V16.512Z" fill="currentColor"></path><path d="M33.6714 16.512H29.1354V14.496C28.8314 15.12 28.3834 15.656 27.7914 16.104C27.1994 16.536 26.4154 16.752 25.4394 16.752C24.0154 16.752 22.8954 16.264 22.0794 15.288C21.2634 14.312 20.8554 12.984 20.8554 11.304C20.8554 9.688 21.2554 8.312 22.0554 7.176C22.8554 6.04 24.0634 5.472 25.6794 5.472C26.5594 5.472 27.2794 5.648 27.8394 6C28.3994 6.352 28.8314 6.8 29.1354 7.344V2.352H26.9754V0H32.2314V14.184H33.6714V16.512ZM29.1354 11.04V10.776C29.1354 9.88 28.8954 9.184 28.4154 8.688C27.9514 8.176 27.3674 7.92 26.6634 7.92C25.9754 7.92 25.3674 8.176 24.8394 8.688C24.3274 9.2 24.0714 10.008 24.0714 11.112C24.0714 12.152 24.3114 12.944 24.7914 13.488C25.2714 14.032 25.8394 14.304 26.4954 14.304C27.3114 14.304 27.9514 13.96 28.4154 13.272C28.8954 12.584 29.1354 11.84 29.1354 11.04Z" fill="currentColor"></path><path d="M47.9589 16.512H41.9829V14.184H43.4229V10.416C43.4229 9.488 43.2629 8.824 42.9429 8.424C42.6389 8.024 42.1829 7.824 41.5749 7.824C40.8389 7.824 40.2709 8.056 39.8709 8.52C39.4709 8.968 39.2629 9.56 39.2469 10.296V14.184H40.6869V16.512H34.7109V14.184H36.1509V8.04H34.5909V5.688H39.2469V7.344C39.9669 6.096 41.1269 5.472 42.7269 5.472C43.7509 5.472 44.6389 5.776 45.3909 6.384C46.1429 6.992 46.5189 7.936 46.5189 9.216V14.184H47.9589V16.512Z" fill="currentColor"></path></svg></a><p>Your blueprint for a better internet.</p><ul class="social-icons"><li><a href="https://mozilla.social/@mdn" target="_blank" rel="me noopener noreferrer"><span class="icon icon-mastodon"></span><span class="visually-hidden">MDN on Mastodon</span></a></li><li><a href="https://twitter.com/mozdevnet" target="_blank" rel="noopener noreferrer"><span class="icon icon-twitter-x"></span><span class="visually-hidden">MDN on X (formerly Twitter)</span></a></li><li><a href="https://github.com/mdn/" target="_blank" rel="noopener noreferrer"><span class="icon icon-github-mark-small"></span><span class="visually-hidden">MDN on GitHub</span></a></li><li><a href="/en-US/blog/rss.xml" target="_blank"><span class="icon icon-feed"></span><span class="visually-hidden">MDN Blog RSS Feed</span></a></li></ul></div><div class="page-footer-nav-col-1"><h2 class="footer-nav-heading">MDN</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a href="/en-US/about">About</a></li><li class="footer-nav-item"><a href="/en-US/blog/">Blog</a></li><li class="footer-nav-item"><a href="https://www.mozilla.org/en-US/careers/listings/?team=ProdOps" target="_blank" rel="noopener noreferrer">Careers</a></li><li class="footer-nav-item"><a href="/en-US/advertising">Advertise with us</a></li></ul></div><div class="page-footer-nav-col-2"><h2 class="footer-nav-heading">Support</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="https://support.mozilla.org/products/mdn-plus">Product help</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/MDN/Community/Issues">Report an issue</a></li></ul></div><div class="page-footer-nav-col-3"><h2 class="footer-nav-heading">Our communities</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/community">MDN Community</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="https://discourse.mozilla.org/c/mdn/236" target="_blank" rel="noopener noreferrer">MDN Forum</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/discord" target="_blank" rel="noopener noreferrer">MDN Chat</a></li></ul></div><div class="page-footer-nav-col-4"><h2 class="footer-nav-heading">Developers</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Web">Web Technologies</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Learn">Learn Web Development</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/plus">MDN Plus</a></li><li class="footer-nav-item"><a href="https://hacks.mozilla.org/" target="_blank" rel="noopener noreferrer">Hacks Blog</a></li></ul></div><div class="page-footer-moz"><a href="https://www.mozilla.org/" class="footer-moz-logo-link" target="_blank" rel="noopener noreferrer"><svg width="112" height="32" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mozilla-footer-logo-svg">Mozilla logo</title><path d="M41.753 14.218c-2.048 0-3.324 1.522-3.324 4.157 0 2.423 1.119 4.286 3.29 4.286 2.082 0 3.447-1.678 3.447-4.347 0-2.826-1.522-4.096-3.413-4.096Zm54.89 7.044c0 .901.437 1.618 1.645 1.618 1.427 0 2.949-1.024 3.044-3.352-.649-.095-1.365-.185-2.02-.185-1.426-.005-2.668.397-2.668 1.92Z" fill="currentColor"></path><path d="M0 0v32h111.908V0H0Zm32.56 25.426h-5.87v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h1.864v3.044h-5.864v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h2.669v3.044H6.642v-3.044h1.863v-7.918H6.642V11.42h5.864v2.11c.839-1.489 2.3-2.39 4.252-2.39 2.02 0 3.878.963 4.566 3.01.778-1.862 2.361-3.01 4.566-3.01 2.512 0 4.812 1.522 4.812 4.84v6.402h1.863v3.044h-.005Zm9.036.307c-4.314 0-7.296-2.635-7.296-7.106 0-4.096 2.484-7.481 7.514-7.481s7.481 3.38 7.481 7.29c0 4.472-3.228 7.297-7.699 7.297Zm22.578-.307H51.942l-.403-2.11 7.7-8.846h-4.376l-.621 2.17-2.888-.313.498-4.907h12.294l.313 2.11-7.767 8.852h4.533l.654-2.172 3.167.308-.872 4.908Zm7.99 0h-4.191v-5.03h4.19v5.03Zm0-8.976h-4.191v-5.03h4.19v5.03Zm2.618 8.976 6.054-21.358h3.945l-6.054 21.358h-3.945Zm8.136 0 6.048-21.358h3.945l-6.054 21.358h-3.939Zm21.486.307c-1.863 0-2.887-1.085-3.072-2.792-.805 1.427-2.232 2.792-4.498 2.792-2.02 0-4.314-1.085-4.314-4.006 0-3.447 3.323-4.253 6.518-4.253.778 0 1.584.034 2.3.124v-.465c0-1.427-.034-3.133-2.3-3.133-.84 0-1.488.061-2.143.402l-.453 1.578-3.195-.34.549-3.224c2.45-.996 3.692-1.27 5.992-1.27 3.01 0 5.556 1.55 5.556 4.75v6.083c0 .805.314 1.085.963 1.085.184 0 .375-.034.587-.095l.034 2.11a5.432 5.432 0 0 1-2.524.654Z" fill="currentColor"></path></svg></a><ul class="footer-moz-list"><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Website Privacy Notice</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/#cookies" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Cookies</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/legal/terms/mozilla" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Legal</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/governance/policies/participation/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Community Participation Guidelines</a></li></ul></div><div class="page-footer-legal"><p id="license" class="page-footer-legal-text">Visit<!-- --> <a href="https://www.mozilla.org" target="_blank" rel="noopener noreferrer">Mozilla Corporation’s</a> <!-- -->not-for-profit parent, the<!-- --> <a target="_blank" rel="noopener noreferrer" href="https://foundation.mozilla.org/">Mozilla Foundation</a>.<br/>Portions of this content are ©1998–<!-- -->2024<!-- --> by individual mozilla.org contributors. Content available under<!-- --> <a href="/en-US/docs/MDN/Writing_guidelines/Attrib_copyright_license">a Creative Commons license</a>.</p></div></div></footer></div><script type="application/json" id="hydration">{"url":"/en-US/docs/Web/API/Web_Authentication_API","doc":{"isMarkdown":true,"isTranslated":false,"isActive":true,"flaws":{},"title":"Web Authentication API","mdn_url":"/en-US/docs/Web/API/Web_Authentication_API","locale":"en-US","native":"English (US)","browserCompat":["api.PublicKeyCredential"],"baseline":{"baseline":"high","baseline_high_date":"2024-03-07","baseline_low_date":"2021-09-07","support":{"chrome":"67","chrome_android":"70","edge":"18","firefox":"60","firefox_android":"92","safari":"13","safari_ios":"13"}},"sidebarHTML":"<ol><li class=\"section\"><em><a href=\"/en-US/docs/Web/API/Web_Authentication_API\" aria-current=\"page\">Web Authentication API</a></em></li><li class=\"toggle\"><details open=\"\"><summary>Guides</summary><ol><li><a href=\"/en-US/docs/Web/API/Web_Authentication_API/Attestation_and_Assertion\">Attestation and Assertion</a></li><li><a href=\"/en-US/docs/Web/API/Web_Authentication_API/Authenticator_data\">Authenticator data</a></li><li><a href=\"/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions\">Web Authentication extensions</a></li></ol></details></li><li class=\"toggle\"><details open=\"\"><summary>Interfaces</summary><ol><li><a href=\"/en-US/docs/Web/API/PublicKeyCredential\"><code>PublicKeyCredential</code></a></li><li><a href=\"/en-US/docs/Web/API/PublicKeyCredentialCreationOptions\"><code>PublicKeyCredentialCreationOptions</code></a></li><li><a href=\"/en-US/docs/Web/API/PublicKeyCredentialRequestOptions\"><code>PublicKeyCredentialRequestOptions</code></a></li><li><a href=\"/en-US/docs/Web/API/AuthenticatorResponse\"><code>AuthenticatorResponse</code></a></li><li><a href=\"/en-US/docs/Web/API/AuthenticatorAttestationResponse\"><code>AuthenticatorAttestationResponse</code></a></li><li><a href=\"/en-US/docs/Web/API/AuthenticatorAssertionResponse\"><code>AuthenticatorAssertionResponse</code></a></li></ol></details></li><li class=\"toggle\"><details open=\"\"><summary>Methods</summary><ol><li><a href=\"/en-US/docs/Web/API/CredentialsContainer/create\"><code>CredentialsContainer.create()</code></a></li><li><a href=\"/en-US/docs/Web/API/CredentialsContainer/get\"><code>CredentialsContainer.get()</code></a></li></ol></details></li></ol>","sidebarMacro":"DefaultAPISidebar","body":[{"type":"prose","value":{"id":null,"title":null,"isH3":false,"content":"<div class=\"notecard secure\"><p><strong>Secure context:</strong> This feature is available only in <a href=\"/en-US/docs/Web/Security/Secure_Contexts\">secure contexts</a> (HTTPS), in some or all <a href=\"#browser_compatibility\">supporting browsers</a>.</p></div>\n<p>The Web Authentication API (WebAuthn) is an extension of the <a href=\"/en-US/docs/Web/API/Credential_Management_API\">Credential Management API</a> that enables strong authentication with public key cryptography, enabling passwordless authentication and secure multi-factor authentication (MFA) without SMS texts.</p>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> <a href=\"https://passkeys.dev/\" class=\"external\" target=\"_blank\">Passkeys</a> are a significant use case for web authentication; see <a href=\"https://web.dev/articles/passkey-registration\" class=\"external\" target=\"_blank\">Create a passkey for passwordless logins</a> and <a href=\"https://web.dev/articles/passkey-form-autofill\" class=\"external\" target=\"_blank\">Sign in with a passkey through form autofill</a> for implementation details. See also <a href=\"https://developers.google.com/identity/passkeys\" class=\"external\" target=\"_blank\">Google Identity &gt; Passwordless login with passkeys</a>.</p>\n</div>"}},{"type":"prose","value":{"id":"webauthn_concepts_and_usage","title":"WebAuthn concepts and usage","isH3":false,"content":"<p>WebAuthn uses <a href=\"https://en.wikipedia.org/wiki/Public-key_cryptography\" class=\"external\" target=\"_blank\">asymmetric (public-key) cryptography</a> instead of passwords or SMS texts for registering, authenticating, and <a href=\"https://en.wikipedia.org/wiki/Multi-factor_authentication\" class=\"external\" target=\"_blank\">multi-factor authentication</a> with websites. This has some benefits:</p>\n<ul>\n <li><strong>Protection against phishing:</strong> An attacker who creates a fake login website can't login as the user because the signature changes with the <a href=\"/en-US/docs/Glossary/Origin\">origin</a> of the website.</li>\n <li><strong>Reduced impact of data breaches:</strong> Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key.</li>\n <li><strong>Invulnerable to password attacks:</strong> Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a digital signature.</li>\n</ul>\n<p>Many websites already have pages that allow users to register new accounts or sign into an existing account, and WebAuthn acts as a replacement or enhancement for the authentication part of the system. It extends the <a href=\"/en-US/docs/Web/API/Credential_Management_API\">Credential Management API</a>, abstracting communication between the user agent and an authenticator and providing the following new functionality:</p>\n<ul>\n <li>When <a href=\"/en-US/docs/Web/API/CredentialsContainer/create\" title=\"navigator.credentials.create()\"><code>navigator.credentials.create()</code></a> is used with the <code>publicKey</code> option, the user agent creates new credentials via an authenticator — either for registering a new account or for associating a new asymmetric key pair with an existing account.\n <ul>\n <li>When registering a new account, these credentials are stored on a server (also referred to as a service or a <a href=\"https://en.wikipedia.org/wiki/Relying_party\" class=\"external\" target=\"_blank\">relying party</a>) and can be subsequently used to log a user in.</li>\n <li>The asymmetric key pair is stored in the authenticator, which can then be used to authenticate a user with a relying party for example during MFA. The authenticator may be embedded into the user agent, into an operating system, such as Windows Hello, or it may be a physical token, such as a USB or Bluetooth Security Key.</li>\n </ul>\n </li>\n <li>When <a href=\"/en-US/docs/Web/API/CredentialsContainer/get\" title=\"navigator.credentials.get()\"><code>navigator.credentials.get()</code></a> is used with the <code>publicKey</code> option, the user agent uses an existing set of credentials to authenticate to a relying party (either as the primary login or to provide an additional factor during MFA as described above).</li>\n</ul>\n<p>In their most basic forms, both <code>create()</code> and <code>get()</code> receive a very large random number called the \"challenge\" from the server and return the challenge signed by the private key back to the server. This proves to the server that a user has the private key required for authentication without revealing any secrets over the network.</p>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> The \"challenge\" must be a buffer of random information at least 16 bytes in size.</p>\n</div>"}},{"type":"prose","value":{"id":"creating_a_key_pair_and_registering_a_user","title":"Creating a key pair and registering a user","isH3":true,"content":"<p>To illustrate how the credential creation process works, let's describe the typical flow that occurs when a user wants to register a credential to a relying party:</p>\n<ol>\n <li>\n <p>The relying party server sends user and relying party information to the web app handling the registration process, along with the \"challenge\", using an appropriate secure mechanism (for example <a href=\"/en-US/docs/Web/API/Fetch_API\">Fetch</a> or <a href=\"/en-US/docs/Web/API/XMLHttpRequest\">XMLHttpRequest</a>).</p>\n <div class=\"notecard note\">\n <p>\n <strong>Note:</strong> The format for sharing information between the relying party server and the web app is up to the application.\n A recommended approach is to exchange <a href=\"/en-US/docs/Glossary/JSON_type_representation\">JSON type representation</a> objects for credentials and credential options.\n Convenience methods have been created in <code>PublicKeyCredential</code> for converting from the JSON representations to the form required by the authentication APIs: <a href=\"/en-US/docs/Web/API/PublicKeyCredential/parseCreationOptionsFromJSON_static\" title=\"parseCreationOptionsFromJSON()\"><code>parseCreationOptionsFromJSON()</code></a>, <a href=\"/en-US/docs/Web/API/PublicKeyCredential/parseRequestOptionsFromJSON_static\" title=\"parseRequestOptionsFromJSON()\"><code>parseRequestOptionsFromJSON()</code></a> and <a href=\"/en-US/docs/Web/API/PublicKeyCredential/toJSON\"><code>PublicKeyCredential.toJSON()</code></a>.\n </p>\n </div>\n </li>\n <li>\n <p>The web app initiates generation of a new credential via the authenticator, on behalf of the relying party, via a <a href=\"/en-US/docs/Web/API/CredentialsContainer/create\" title=\"navigator.credentials.create()\"><code>navigator.credentials.create()</code></a> call. This call is passed a <code>publicKey</code> option specifying device capabilities, e.g., whether the device provides its own user authentication (for example with biometrics).</p>\n <p>A typical <code>create()</code> call might look like so:</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js</span></div><pre class=\"brush: js notranslate\"><code>let credential = await navigator.credentials.create({\n publicKey: {\n challenge: new Uint8Array([117, 61, 252, 231, 191, 241, ...]),\n rp: { id: \"acme.com\", name: \"ACME Corporation\" },\n user: {\n id: new Uint8Array([79, 252, 83, 72, 214, 7, 89, 26]),\n name: \"jamiedoe\",\n displayName: \"Jamie Doe\"\n },\n pubKeyCredParams: [ {type: \"public-key\", alg: -7} ]\n }\n});\n</code></pre></div>\n <p>The parameters of the <code>create()</code> call are passed to the authenticator, along with a SHA-256 hash that is signed to ensure that it isn't tampered with.</p>\n </li>\n <li>\n <p>After the authenticator obtains user consent, it generates a key pair and returns the public key and optional signed attestation to the web app. This is provided when the <a href=\"/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise\"><code>Promise</code></a> returned by the <code>create()</code> call fulfills, in the form of a <a href=\"/en-US/docs/Web/API/PublicKeyCredential\"><code>PublicKeyCredential</code></a> object instance (the <a href=\"/en-US/docs/Web/API/PublicKeyCredential/response\"><code>PublicKeyCredential.response</code></a> property contains the attestation information).</p>\n </li>\n <li>\n <p>The web app forwards the <a href=\"/en-US/docs/Web/API/PublicKeyCredential\"><code>PublicKeyCredential</code></a> to the server, again using an appropriate mechanism.</p>\n </li>\n <li>\n <p>The server stores the public key, coupled with the user identity, to remember the credential for future authentications. During this process, it performs a series of checks to ensure that the registration was complete and not tampered with. These include:</p>\n <ol>\n <li>Verifying that the challenge is the same as the challenge that was sent.</li>\n <li>Ensuring that the origin was the origin expected.</li>\n <li>Validating that the signature and attestation are using the correct certificate chain for the specific model of the authenticator used to generated the key par in the first place.</li>\n </ol>\n </li>\n</ol>\n<div class=\"notecard warning\">\n <p><strong>Warning:</strong> Attestation provides a way for a relying party to determine the provenance of an authenticator. Relying parties should not attempt to maintain allowlists of authenticators.</p>\n</div>"}},{"type":"prose","value":{"id":"authenticating_a_user","title":"Authenticating a user","isH3":true,"content":"<p>After a user has registered with WebAuthn, they can authenticate (i.e., login) with the service. The authentication flow looks similar to the registration flow, the main differences being that authentication:</p>\n<ol>\n <li>Doesn't require user or relying party information</li>\n <li>Creates an assertion using the previously-generated key pair for the service, rather than the authenticator's key pair.</li>\n</ol>\n<p>A typical authentication flow is as follows:</p>\n<ol>\n <li>\n <p>The relying party generates a \"challenge\" and sends it to the user agent using an appropriate secure mechanism, along with a list of relying party and user credentials. It can also indicate where to look for the credential, e.g., on a local built-in authenticator, or on an external one over USB, BLE, etc.</p>\n </li>\n <li>\n <p>The browser asks the authenticator to sign the challenge via a <a href=\"/en-US/docs/Web/API/CredentialsContainer/get\" title=\"navigator.credentials.get()\"><code>navigator.credentials.get()</code></a> call, which is passed the credentials in a <code>publicKey</code> option.</p>\n <p>A typical <code>get()</code> call might look like so:</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js</span></div><pre class=\"brush: js notranslate\"><code>let credential = await navigator.credentials.get({\n publicKey: {\n challenge: new Uint8Array([139, 66, 181, 87, 7, 203, ...]),\n rpId: \"acme.com\",\n allowCredentials: [{\n type: \"public-key\",\n id: new Uint8Array([64, 66, 25, 78, 168, 226, 174, ...])\n }],\n userVerification: \"required\",\n }\n});\n</code></pre></div>\n <p>The parameters of the <code>get()</code> call are passed to the authenticator to handle the authentication.</p>\n </li>\n <li>\n <p>If the authenticator contains one of the given credentials and is able to successfully sign the challenge, it returns a signed assertion to the web app after receiving user consent. This is provided when the <a href=\"/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise\"><code>Promise</code></a> returned by the <code>get()</code> call fulfills, in the form of a <a href=\"/en-US/docs/Web/API/PublicKeyCredential\"><code>PublicKeyCredential</code></a> object instance (the <a href=\"/en-US/docs/Web/API/PublicKeyCredential/response\"><code>PublicKeyCredential.response</code></a> property contains the assertion information).</p>\n </li>\n <li>\n <p>The web app forwards the signed assertion to the relying party server for the relying party to validate. The validation checks include:</p>\n <ol>\n <li>Using the public key that was stored during the registration request to validate the signature by the authenticator.</li>\n <li>Ensuring that the challenge that was signed by the authenticator matches the challenge that was generated by the server.</li>\n <li>Checking that the Relying Party ID is the one expected for this service.</li>\n </ol>\n </li>\n <li>\n <p>Once verified by the server, the authentication flow is considered successful.</p>\n </li>\n</ol>"}},{"type":"prose","value":{"id":"controlling_access_to_the_api","title":"Controlling access to the API","isH3":false,"content":"<p>The availability of WebAuthn can be controlled using a <a href=\"/en-US/docs/Web/HTTP/Permissions_Policy\">Permissions Policy</a>, specifying two directives in particular:</p>\n<ul>\n <li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create\"><code>publickey-credentials-create</code></a>: Controls the availability of <a href=\"/en-US/docs/Web/API/CredentialsContainer/create\" title=\"navigator.credentials.create()\"><code>navigator.credentials.create()</code></a> with the <code>publicKey</code> option.</li>\n <li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get\"><code>publickey-credentials-get</code></a>: Controls the availability of <a href=\"/en-US/docs/Web/API/CredentialsContainer/get\" title=\"navigator.credentials.get()\"><code>navigator.credentials.get()</code></a> with the <code>publicKey</code> option.</li>\n</ul>\n<p>\n Both directives have a default allowlist value of <code>\"self\"</code>, meaning that by default these methods can be used in top-level document contexts.\n In addition, <code>get()</code> can be used in nested browsing contexts loaded from the same origin as the top-most document.\n <code>get()</code> and <code>create()</code> can be used in nested browsing contexts loaded from the different origins to the top-most document (i.e. in cross-origin <code>&lt;iframes&gt;</code>), if allowed by the <a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get\"><code>publickey-credentials-get</code></a> and <a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create\"><code>publickey-credentials-create</code></a> <code>Permission-Policy</code> directives, respectively.\n For cross-origin <code>create()</code> calls, where the permission was granted by <a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy#iframes\"><code>allow=</code> on an iframe</a>, the frame must also have <a href=\"/en-US/docs/Glossary/Transient_activation\">Transient activation</a>.\n</p>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> Where a policy forbids use of these methods, the <a href=\"/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise\">promises</a> returned by them will reject with a <code>NotAllowedError</code> <a href=\"/en-US/docs/Web/API/DOMException\"><code>DOMException</code></a>.</p>\n</div>"}},{"type":"prose","value":{"id":"basic_access_control","title":"Basic access control","isH3":true,"content":"<p>If you wish to allow access to a specific subdomain only, you could provide it like this:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Permissions-Policy: publickey-credentials-get=(\"https://subdomain.example.com\")\nPermissions-Policy: publickey-credentials-create=(\"https://subdomain.example.com\")\n</code></pre></div>"}},{"type":"prose","value":{"id":"allowing_embedded_create_and_get_calls_in_an_iframe","title":"Allowing embedded <code>create</code> and <code>get()</code> calls in an <code>&lt;iframe&gt;</code>","isH3":true,"content":"<p>If you wish to authenticate with <code>get()</code> or <code>create()</code> in an <code>&lt;iframe&gt;</code>, there are a couple of steps to follow:</p>\n<ol>\n <li>\n <p>The site embedding the relying party site must provide permission via an <code>allow</code> attribute:</p>\n <ul>\n <li>\n <p>If using <code>get()</code>:</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">html</span></div><pre class=\"brush: html notranslate\"><code>&lt;iframe\n src=\"https://auth.provider.com\"\n allow=\"publickey-credentials-get *\"&gt;\n&lt;/iframe&gt;\n</code></pre></div>\n </li>\n <li>\n <p>If using <code>create()</code>:</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">html</span></div><pre class=\"brush: html notranslate\"><code>&lt;iframe\n src=\"https://auth.provider.com\"\n allow=\"publickey-credentials-create 'self' https://a.auth.provider.com https://b.auth.provider.com\"&gt;\n&lt;/iframe&gt;\n</code></pre></div>\n <p>The <code>&lt;iframe&gt;</code> must also have <a href=\"/en-US/docs/Glossary/Transient_activation\">Transient activation</a> if <code>create()</code> is called cross-origin.</p>\n </li>\n </ul>\n </li>\n <li>\n <p>The relying party site must provide permission for the above access via a <code>Permissions-Policy</code> header:</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Permissions-Policy: publickey-credentials-get=*\nPermissions-Policy: publickey-credentials-create=*\n</code></pre></div>\n <p>Or to allow only a specific URL to embed the relying party site in an <code>&lt;iframe&gt;</code>:</p>\n <div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Permissions-Policy: publickey-credentials-get=(\"https://subdomain.example.com\")\nPermissions-Policy: publickey-credentials-create=(\"https://*.auth.provider.com\")\n</code></pre></div>\n </li>\n</ol>"}},{"type":"prose","value":{"id":"interfaces","title":"Interfaces","isH3":false,"content":"<dl>\n <dt id=\"authenticatorassertionresponse\"><a href=\"/en-US/docs/Web/API/AuthenticatorAssertionResponse\"><code>AuthenticatorAssertionResponse</code></a></dt>\n <dd>\n <p>Provides proof to a service that an authenticator has the necessary key pair to successfully handle an authentication request initiated by a <a href=\"/en-US/docs/Web/API/CredentialsContainer/get\"><code>CredentialsContainer.get()</code></a> call. Available in the <a href=\"/en-US/docs/Web/API/PublicKeyCredential/response\" title=\"response\"><code>response</code></a> property of the <a href=\"/en-US/docs/Web/API/PublicKeyCredential\"><code>PublicKeyCredential</code></a> instance obtained when the <code>get()</code> <a href=\"/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise\"><code>Promise</code></a> fulfills.</p>\n </dd>\n <dt id=\"authenticatorattestationresponse\"><a href=\"/en-US/docs/Web/API/AuthenticatorAttestationResponse\"><code>AuthenticatorAttestationResponse</code></a></dt>\n <dd>\n <p>The result of a WebAuthn credential registration (i.e., a <a href=\"/en-US/docs/Web/API/CredentialsContainer/create\"><code>CredentialsContainer.create()</code></a> call). It contains information about the credential that the server needs to perform WebAuthn assertions, such as its credential ID and public key. Available in the <a href=\"/en-US/docs/Web/API/PublicKeyCredential/response\" title=\"response\"><code>response</code></a> property of the <a href=\"/en-US/docs/Web/API/PublicKeyCredential\"><code>PublicKeyCredential</code></a> instance obtained when the <code>create()</code> <a href=\"/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise\"><code>Promise</code></a> fulfills.</p>\n </dd>\n <dt id=\"authenticatorresponse\"><a href=\"/en-US/docs/Web/API/AuthenticatorResponse\"><code>AuthenticatorResponse</code></a></dt>\n <dd>\n <p>The base interface for <a href=\"/en-US/docs/Web/API/AuthenticatorAttestationResponse\"><code>AuthenticatorAttestationResponse</code></a> and <a href=\"/en-US/docs/Web/API/AuthenticatorAssertionResponse\"><code>AuthenticatorAssertionResponse</code></a>.</p>\n </dd>\n <dt id=\"publickeycredential\"><a href=\"/en-US/docs/Web/API/PublicKeyCredential\"><code>PublicKeyCredential</code></a></dt>\n <dd>\n <p>Provides information about a public key / private key pair, which is a credential for logging in to a service using an un-phishable and data-breach resistant asymmetric key pair instead of a password. Obtained when the <a href=\"/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise\"><code>Promise</code></a> returned via a <a href=\"/en-US/docs/Web/API/CredentialsContainer/create\" title=\"create()\"><code>create()</code></a> or <a href=\"/en-US/docs/Web/API/CredentialsContainer/get\" title=\"get()\"><code>get()</code></a> call fulfills.</p>\n </dd>\n</dl>"}},{"type":"prose","value":{"id":"extensions_to_other_interfaces","title":"Extensions to other interfaces","isH3":false,"content":"<dl>\n <dt id=\"credentialscontainer.create\"><a href=\"/en-US/docs/Web/API/CredentialsContainer/create\"><code>CredentialsContainer.create()</code></a>, the <code>publicKey</code> option</dt>\n <dd>\n <p>Calling <code>create()</code> with a <code>publicKey</code> option initiates the creation of new asymmetric key credentials via an authenticator, as explained above.</p>\n </dd>\n <dt id=\"credentialscontainer.get\"><a href=\"/en-US/docs/Web/API/CredentialsContainer/get\"><code>CredentialsContainer.get()</code></a>, the <code>publicKey</code> option</dt>\n <dd>\n <p>Calling <code>get()</code> with a <code>publicKey</code> option instructs the user agent uses an existing set of credentials to authenticate to a relying party.</p>\n </dd>\n</dl>"}},{"type":"prose","value":{"id":"examples","title":"Examples","isH3":false,"content":""}},{"type":"prose","value":{"id":"demo_sites","title":"Demo sites","isH3":true,"content":"<ul>\n <li><a href=\"https://webauthn.bin.coffee/\" class=\"external\" target=\"_blank\">Mozilla Demo</a> website and its <a href=\"https://github.com/jcjones/webauthn.bin.coffee\" class=\"external\" target=\"_blank\">source code</a>.</li>\n <li><a href=\"https://try-webauthn.appspot.com/\" class=\"external\" target=\"_blank\">Google Demo</a> website and its <a href=\"https://github.com/google/webauthndemo\" class=\"external\" target=\"_blank\">source code</a>.</li>\n <li><a href=\"https://webauthn.io/\" class=\"external\" target=\"_blank\">WebAuthn.io demo</a> website and its <a href=\"https://github.com/duo-labs/webauthn.io\" class=\"external\" target=\"_blank\">source code</a>.</li>\n <li><a href=\"https://github.com/webauthn-open-source\" class=\"external\" target=\"_blank\">github.com/webauthn-open-source</a> and its <a href=\"https://github.com/webauthn-open-source/webauthn-simple-app\" class=\"external\" target=\"_blank\">client source code</a> and <a href=\"https://github.com/webauthn-open-source/fido2-lib\" class=\"external\" target=\"_blank\">server source code</a></li>\n</ul>"}},{"type":"prose","value":{"id":"usage_example","title":"Usage example","isH3":true,"content":"<div class=\"notecard note\">\n <p><strong>Note:</strong> For security reasons, the Web Authentication API calls (<a href=\"/en-US/docs/Web/API/CredentialsContainer/create\" title=\"create()\"><code>create()</code></a> and <a href=\"/en-US/docs/Web/API/CredentialsContainer/get\" title=\"get()\"><code>get()</code></a>) are canceled if the browser window loses focus while the call is pending.</p>\n</div>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js</span></div><pre class=\"brush: js notranslate\"><code>// sample arguments for registration\nconst createCredentialDefaultArgs = {\n publicKey: {\n // Relying Party (a.k.a. - Service):\n rp: {\n name: \"Acme\",\n },\n // User:\n user: {\n id: new Uint8Array(16),\n name: \"carina.p.anand@example.com\",\n displayName: \"Carina P. Anand\",\n },\n pubKeyCredParams: [\n {\n type: \"public-key\",\n alg: -7,\n },\n ],\n attestation: \"direct\",\n timeout: 60000,\n challenge: new Uint8Array([\n // must be a cryptographically random number sent from a server\n 0x8c, 0x0a, 0x26, 0xff, 0x22, 0x91, 0xc1, 0xe9, 0xb9, 0x4e, 0x2e, 0x17,\n 0x1a, 0x98, 0x6a, 0x73, 0x71, 0x9d, 0x43, 0x48, 0xd5, 0xa7, 0x6a, 0x15,\n 0x7e, 0x38, 0x94, 0x52, 0x77, 0x97, 0x0f, 0xef,\n ]).buffer,\n },\n};\n\n// sample arguments for login\nconst getCredentialDefaultArgs = {\n publicKey: {\n timeout: 60000,\n // allowCredentials: [newCredential] // see below\n challenge: new Uint8Array([\n // must be a cryptographically random number sent from a server\n 0x79, 0x50, 0x68, 0x71, 0xda, 0xee, 0xee, 0xb9, 0x94, 0xc3, 0xc2, 0x15,\n 0x67, 0x65, 0x26, 0x22, 0xe3, 0xf3, 0xab, 0x3b, 0x78, 0x2e, 0xd5, 0x6f,\n 0x81, 0x26, 0xe2, 0xa6, 0x01, 0x7d, 0x74, 0x50,\n ]).buffer,\n },\n};\n\n// register / create a new credential\nnavigator.credentials\n .create(createCredentialDefaultArgs)\n .then((cred) =&gt; {\n console.log(\"NEW CREDENTIAL\", cred);\n // normally the credential IDs available for an account would come from a server\n // but we can just copy them from above…\n const idList = [\n {\n id: cred.rawId,\n transports: [\"usb\", \"nfc\", \"ble\"],\n type: \"public-key\",\n },\n ];\n getCredentialDefaultArgs.publicKey.allowCredentials = idList;\n return navigator.credentials.get(getCredentialDefaultArgs);\n })\n .then((assertion) =&gt; {\n console.log(\"ASSERTION\", assertion);\n })\n .catch((err) =&gt; {\n console.log(\"ERROR\", err);\n });\n</code></pre></div>"}},{"type":"specifications","value":{"title":"Specifications","id":"specifications","isH3":false,"specifications":[{"bcdSpecificationURL":"https://w3c.github.io/webauthn/#iface-pkcredential","title":"Web Authentication: An API for accessing Public Key Credentials - Level 3"}],"query":"api.PublicKeyCredential"}},{"type":"browser_compatibility","value":{"title":"Browser compatibility","id":"browser_compatibility","isH3":false,"query":"api.PublicKeyCredential"}}],"toc":[{"text":"WebAuthn concepts and usage","id":"webauthn_concepts_and_usage"},{"text":"Controlling access to the API","id":"controlling_access_to_the_api"},{"text":"Interfaces","id":"interfaces"},{"text":"Extensions to other interfaces","id":"extensions_to_other_interfaces"},{"text":"Examples","id":"examples"},{"text":"Specifications","id":"specifications"},{"text":"Browser compatibility","id":"browser_compatibility"}],"summary":"The Web Authentication API (WebAuthn) is an extension of the Credential Management API that enables strong authentication with public key cryptography, enabling passwordless authentication and secure multi-factor authentication (MFA) without SMS texts.","popularity":0.0276,"modified":"2024-07-26T15:38:03.000Z","other_translations":[{"locale":"de","title":"Web Authentication API","native":"Deutsch"},{"locale":"fr","title":"API Web Authentication","native":"Français"},{"locale":"ja","title":"ウェブ認証 API","native":"日本語"},{"locale":"zh-CN","title":"Web Authentication API","native":"中文 (简体)"}],"pageType":"web-api-overview","source":{"folder":"en-us/web/api/web_authentication_api","github_url":"https://github.com/mdn/content/blob/main/files/en-us/web/api/web_authentication_api/index.md","last_commit_url":"https://github.com/mdn/content/commit/216794e76611c18e53222bb8efa570e898e990de","filename":"index.md"},"short_title":"Web Authentication API","parents":[{"uri":"/en-US/docs/Web","title":"References"},{"uri":"/en-US/docs/Web/API","title":"Web APIs"},{"uri":"/en-US/docs/Web/API/Web_Authentication_API","title":"Web Authentication API"}],"pageTitle":"Web Authentication API - Web APIs | MDN","noIndexing":false}}</script></body></html>