What are PublicKeyCredentialCreationOptions in WebAuthn?

PublicKeyCredentialCreationOptions is an important object in the WebAuthn standard, required for creating new credentials by handling the challenge-response mechanism. It is essential for the navigator.credential.create() function, providing the necessary data to generate an attestation.

{
  "PublicKeyCredentialCreationOptions": {
    "rp": {
      "id": "passkeys.eu",
      "name": "Corbado Passkeys Demo"
    },
    "user": {
      "displayName": "john.doe",
      "id": "dXNyLZ….DU10Tc",
      "name": "john@doe.com"
    },
    "challenge": "888fix4Bus...pHHr3Y",
    "pubKeyCredParams": [
      {
        "alg": -7,
        "type": "public-key"
      },
      {
        "alg": -257,
        "type": "public-key"
      }
    ],
    "excludeCredentials": [],
    "authenticatorSelection": {
      "authenticatorAttachment": "platform",
      "residentKey": "required",
      "userVerification": "required"
      },
    "attestation": "none",
    "extensions": []
    }
  }
}

Continue reading for a full breakdown of the components and workings of PublicKeyCredentialCreationOptions.

As shown in the flowchart for the registration process, passing publicKeyCredentialCreationOptions to the Frontend is the first step by the Backend for creating a new credential. It orchestrates the registration of new credentials by encoding the required values and chosen options by the Relying Party.

Subscribe to our Passkeys Substack for the latest news.

Subscribe

Here's a quick explanation of all attributes, as specified in the WebAuthn specification:

"rp": {
      "id": "passkeys.eu",
      "name": "Corbado Passkeys Demo"
    }

rp: Identifies the Relying Party (= the server looking to authenticate the user). The ID is usually the server domain, you can read more about it in this blog.

"user": {
      "displayName": "john.doe",
      "id": "dXNyLZ….DU10Tc",
      "name": "john@doe.com"
    }

The user-attribute contains data about the user account requesting attestation. The ID is a byte sequence chosen by the Relying Party, that must not contain personal information. The username or e-mail address is saved instead in the name or displayName attribute.

"challenge": "888fix4Bus...pHHr3Y"

The cryptographic challenge is a randomly generated base64URL encoded BufferSource that needs to be signed by the authenticator.

"pubKeyCredParams": [
      {
        "alg": -7,
        "type": "public-key"
      },
      {
        "alg": -257,
        "type": "public-key"
      }
    ]

pubKeyCredParams specifies attributes of the credential to be created, usually the supported algorithm(s).

"excludeCredentials": []

excludeCredentials is an optional list of disallowed credentials to limit the creation of multiple passkeys on one device. Read more about it in this article.

"authenticatorSelection": {
      "authenticatorAttachment": "platform",
      "residentKey": "required",
      "userVerification": "required"
      }

authenticatorSelection is an optional selection of the used authenticator for the method, e.g. whether a residentKey is required. See the this article for more information.

"attestation": "none",
"extensions": []

• attestation can be used to request that the attestation object is passed on to the Relying Party in a specific form. Possible values are “none” (default), “indirect”, “direct” and “enterprise”

• extensions contains optional request(s) for additional processing, such as specific return values. e.g.

  • credProbs requests information on whether the created credential is discoverable
  • prf allows the Relying Party to use outputs from a pseudo-random function (PRF) associated with a credential

Experiment with passkey flows in the Passkeys Debugger.

Try for Free

‍

They are essential for registering credentials, managing challenges, and ensuring secure user-device connections.

Yes, they offer extensive customization options like timeout settings and authenticator selection criteria to meet diverse security needs.

Igor Gjorgjioski

Head of Digital Channels & Platform Enablement, VicRoads

We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.

See how VicRoads scaled passkeys to 5M+ users — alongside their existing IDP.

Read the case study

They both are objects sent by the backend including a challenge for authentication, but differ regarding their use case. PublicKeyCredentialCreationOptions are used for creating a new credentials, while PublicKeyCredentialRequestOptions are used for the authentication process with an existing credential.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →