WebAuthn Credential Exchange Protocol (CXP) & Format (CXF)

Passkeys are quickly becoming the gold standard in online authentication - offering a secure, phishing-resistant alternative to traditional passwords. Backed by the FIDO Alliance, passkeys are built on the WebAuthn and FIDO2 standards and use public-key cryptography to eliminate the risks of credential theft.

But as adoption accelerates, a key challenge has emerged: How do you import or export passkeys between different providers - say, from Bitwarden to 1Password or from Apple iCloud Keychain to Google Password Manager?

Unlike passwords, passkeys do not have a format that can be easily exported or imported. This lack of interoperability creates friction for users and increases the risk of vendor lock-in.

That’s where two emerging standards come in:

• The Credential Exchange Protocol (CXP): a secure mechanism to transfer passkeys between providers.

• The Credential Exchange Format (CXF): a standardized data format for packaging credentials like passkeys, credit card details or TOTP codes.

Together, CXP and CXF are designed to make passkey portability not only possible but secure, flexible and user-friendly. In this blog post, we’ll answer the following questions:

1. What’s is the Credential Exchange Protocol (CXP) and how does it work?

2. What’s is the Credential Exchange Format (CXF) and how does it look like?

3. What’s the current state of development of Credential Exchange Protol and Credential Exchange Format?

As more users and organizations adopt passkeys, one critical challenge remains: moving credentials between platforms. Unlike passwords, which can be exported as simple text or CSV files (insecure as that may be), passkeys rely on cryptographic key pairs. That makes import / export far more complex and far more sensitive.

Here’s what’s currently broken in passkey migration:

• No Standard Format: Unlike CSVs for passwords, passkeys don’t have a universal representation. Every provider stores them differently.

• Insecure Transfers: In some rare attempts to support migrations, credentials have been exported in unencrypted formats, creating serious security risks (see this GitHub discussion).

• Migration Failures: Without a consistent structure, migrating passkeys between providers could fail causing loss of credentials or forcing users to re-create passkeys.

• Blocked by Policy: Enterprise environments could disable credential export entirely, fearing insecure transfers or compatibility issues.

• Vendor Lock-In: Without reliable ways to export passkeys, users become locked into their current provider - something that undermines user freedom and competition.

This problem isn’t hypothetical, it’s happening now. As people use multiple devices, browsers and apps to manage passkeys, the need to import passkeys from one ecosystem and export passkeys to another becomes urgent.

That’s why major players like 1Password, Dashlane, Bitwarden and NordPass teamed up in early 2023 to prototype a solution. The result: a collaborative effort to define open standards for secure credential exchange - Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF).

To address the challenges of passkey migration, two complementary standards have emerged: the Credential Exchange Protocol (CXP) and the Credential Exchange Format (CXF). Backed by industry leaders including Apple, Google, Microsoft and 1Password, these draft specifications aim to make importing and exporting passkeys secure, standardized and interoperable.

The Credential Exchange Protocol defines a secure method for transferring credentials between two credential / passkey providers - such as from Bitwarden to iCloud Keychain. In the specification, these parties are referred to as the Sender (exporting credentials), the Recipient (importing credentials) and the Exchange Initiator (typically the Recipient).

CXP specifies four message types to orchestrate the exchange: ExchangeRequest, ExchangeResponse, CredentialExport, and Acknowledgement. These messages are cryptographically protected using JSON Web Signature (JWS) and JSON Web Encryption (JWE) to ensure confidentiality and authenticity.

How it works:

1. Exchange Request: The Recipient starts the process by creating an ExchangeRequest message, which includes:

   • A cryptographic challenge

   • Supported encryption methods

   • A public key for key agreement (X25519)

2. Exchange Response: Upon user approval, the Sender replies with an ExchangeResponse that contains:

   • A signed challenge (JWS)

   • Its own ephemeral X25519 public key

   • A description of what it will export

3. Credential Export: If approved, the Sender sends a CredentialExport message containing:

   • The CXF-encrypted credentials (JWE)

   • Metadata and encryption details

4. Acknowledgement: The Recipient optionally returns an Acknowledgement after successful import.

All messages are signed using JWS and encrypted with JWE. The final credential decryption key is derived using a Diffie-Hellman key exchange (X25519) and AES-GCM (256-bit) encryption.

The protocol is designed to be transport-agnostic: payloads can be transferred over HTTPS, QR codes, or even via USB drives for air-gapped systems—making CXP suitable for both consumer and enterprise environments.

The Credential Exchange Format (CXF) defines how the credentials themselves are packaged for transfer.

Format overview:

• Encrypted Payloads: Each credential - such as a passkey, TOTP code, credit card or identity document - is individually encrypted using JWE (JSON Web Encryption) and stored in a structured archive.

• ZIP Container: These encrypted credentials are bundled into a zip archive for transmission.

• ZIP Structure: The CXF archive includes a /credentials/ folder with individual .jwe files and a mandatory manifest.json file that describes:

  • Credential types

  • Creation timestamps

  • Encryption algorithms

  • Optional metadata (e.g., display names)

• Metadata Included: Details like credential type, creation date and algorithm type are part of the format to ensure compatibility on the receiving side.

By standardizing the structure, CXF eliminates issues like format mismatches or partial data loss during migrations.

CXF is also extensible by design, allowing new credential types to be added in future versions without breaking backward compatibility - making it future-proof for use cases beyond passkeys.

This system enables vendor-neutral passkey migration, whether the exchange happens over the internet or via a physical medium like a USB drive.

As of 2025, both the Credential Exchange Protocol (CXP) and the Credential Exchange Format (CXF) are still in draft specification status. However, the core concepts are stable and the momentum behind them is unmistakable.

The development of CXP and CXF is being coordinated through the FIDO Alliance, with active contributions from:

• Apple

• Google

• Microsoft

• 1Password

• Bitwarden

• Dashlane

• NordPass

• Samsung

• SK Telecom

These companies are publicly signaling that passkey portability is a strategic priority. In fact, several password managers have already built internal prototypes based on early drafts of the protocol.

FIDO has published the draft specs on GitHub and is actively requesting feedback from developers and security professionals. The goal: ensure that the protocol works across different ecosystems, platforms and use cases - before finalizing it as an official standard. The drafts include detailed protocol messages, encryption methods and a manifest file structure to guide secure implementation.

To support early experimentation and implementation planning, the passkey ecosystem now includes:

• Passkeys Debugger: A platform that helps to debug WebAuthn requests in an understandable way.

• Passkey Community: A community of software developers and product managers discussing passkey-related questions.

• Passkey Subreddit: Dedicated subreddit to discuss news around passkeys and WebAuthn including about on CXP and CXF.

• passkeys.eu: Testing tools for developers to validate WebAuthn flows and passkey behavior

• CXP GitHub Draft: Full protocol message structure and cryptographic flow

• CXF GitHub Draft: ZIP file layout and credential packaging format

Although not yet production-ready, CXP and CXF are clearly on track to become the final missing piece in the passkey puzzle - enabling secure, seamless import/export for users and organizations alike.

The Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) were born out of a need to make passkey import and export secure and seamless. But their potential doesn’t stop there.

These standards establish a blueprint for transferring any sensitive credential between providers - securely, reliably and across platforms. That opens the door to broader use cases in identity, authentication and even government-issued credentials.

One of the biggest concerns with current passkey adoption is vendor lock-in. Without a way to move credentials securely, users are often tied to their original provider - even if their needs change.

With CXP and CXF, we move toward a truly interoperable passkey ecosystem, where users and enterprises can:

• Migrate passkeys freely between providers

• Avoid duplicate credential creation

• Simplify device and platform transitions

This directly supports consumer choice, promotes competition and strengthens trust in the passkey model.

As Christiaan Brand, Identity and Security Group Product Manager at Google, put it:

“In the future, this could apply to mobile driver's licenses, passports—any secrets that you want to export somewhere and import into another system.”

Imagine securely transferring:

• Passkeys (public-key-credential)

• TOTP secrets (totp)

• Payment details (credit-card)

• Government IDs (identity-document)

all through the same, standardized exchange mechanism. That’s the future CXP and CXF are helping shape.

With encrypted, verifiable credential exchange becoming the norm, organizations will finally be able to retire insecure CSV exports, avoid error-prone manual processes and enforce encryption-first policies for all credential handling.

Whether in the consumer space, enterprise IT or public sector identity systems, this shift raises the default security bar - without compromising on usability.

The Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) represent a critical evolution in the passkey ecosystem. By addressing long-standing gaps in credential migration, they offer a secure, standardized framework for importing and exporting passkeys across different platforms and providers.

With broad support from industry leaders and growing momentum in the FIDO community, these specifications are poised to remove one of the last major barriers to passkey adoption: portability.

For developers and organizations building passkey-based systems today, staying ahead of CXP and CXF is not just about future-proofing - it’s about enabling better user experiences, tighter security, and greater flexibility.

At Corbado, we’re following these developments closely and helping enterprises implement passkeys at scale - without vendor lock-in, user migration headaches or security compromises. As the ecosystem matures, we’ll be among the first to support CXP/CXF-based flows to make secure credential exchange a reality.

Passkeys are here. CXP and CXF will help them go everywhere.