WebAuthn

Passkey registration, packed attestation verification.

WebAuthn gives your users phishing-resistant passkeys. oauth.work verifies packed attestation statements properly — the authenticator’s claim is checked, not trusted on faith.

Register a passkey

const options = await fetch('/webauthn/register/options', { method: 'POST' }).then((r) => r.json())
const credential = await navigator.credentials.create({ publicKey: options })
await fetch('/webauthn/register', {
  method: 'POST',
  body: JSON.stringify(credential),
})

What gets verified

On registration, the packed attestation statement is fully validated:

• The authData flags show user presence and verification.
• The attestation signature is checked against the authenticator’s certificate / public key.
• The rpIdHash matches the tenant origin — a credential minted for another RP is rejected.

Authenticate

const options = await fetch('/webauthn/login/options', { method: 'POST' }).then((r) => r.json())
const assertion = await navigator.credentials.get({ publicKey: options })
// → verified server-side against the stored credential public key + signature counter

Passkeys can stand alone or step up an existing OIDC session for sensitive actions.