---
url: 'https://www.corbado.com/glossary/publickeycredentialcreationoptions'
title: 'PublicKeyCredentialCreationOptions'
description: 'Understand PublicKeyCredentialCreationOptions in WebAuthn, a central component for secure and efficient user authentication in passkey-enabled systems.'
lang: 'en'
keywords: 'publickeycredentialcreationoptions'
---

# PublicKeyCredentialCreationOptions

## What are PublicKeyCredentialCreationOptions?

**PublicKeyCredentialCreationOptions** is an important object in the WebAuthn standard,
required for creating new credentials by handling the challenge-response mechanism. It is
essential for the `navigator.credential.create()` function, providing the necessary data
to generate an [attestation](https://www.corbado.com/glossary/attestation).

### Example

```json
{
  "PublicKeyCredentialCreationOptions": {
    "rp": {
      "id": "passkeys.eu",
      "name": "Corbado Passkeys Demo"
    },
    "user": {
      "displayName": "john.doe",
      "id": "dXNyLZ….DU10Tc",
      "name": "john@doe.com"
    },
    "challenge": "888fix4Bus...pHHr3Y",
    "pubKeyCredParams": [
      {
        "alg": -7,
        "type": "public-key"
      },
      {
        "alg": -257,
        "type": "public-key"
      }
    ],
    "excludeCredentials": [],
    "authenticatorSelection": {
      "authenticatorAttachment": "platform",
      "residentKey": "required",
      "userVerification": "required"
      },
    "attestation": "none",
    "extensions": []
    }
  }
}
```

Continue reading for a full breakdown of the components and workings of
**PublicKeyCredentialCreationOptions**.

## Key Takeaways

> - **PublicKeyCredentialCreationOptions** is an object for creating new credentials in
>   WebAuthn by communicating required parameters to the client
> - It gets created and passed from the WebAuthn server in the Backend to communicate
>   required parameters for creating a new credential.
> - It provides options for timeout settings, exclusion of certain public key credentials,
>   and specific [authenticator](https://www.corbado.com/glossary/authenticator) selection criteria to cater to
>   diverse security needs.

---

### Relevance in WebAuthn

![The Registration Process in WebAuthn requires the publicKeyCredentialCreationOptions](https://www.corbado.com/website-assets/cs_1_1_registration_flow_e44a658ca7.png)

As shown in the flowchart for the registration process, passing
publicKeyCredentialCreationOptions to the Frontend is the first step by the Backend for
creating a new credential. It orchestrates the registration of new credentials by encoding
the required values and chosen options by the [Relying Party](https://www.corbado.com/glossary/relying-party).

### Technical breakdown

Here's a quick explanation of all attributes, as specified in the
[WebAuthn specification](https://www.w3.org/TR/webauthn-2/#dictionary-makecredentialoptions):

#### rp

```json
"rp": {
      "id": "passkeys.eu",
      "name": "Corbado Passkeys Demo"
    }
```

**rp:** Identifies the [Relying Party](https://www.corbado.com/glossary/relying-party) (= the server looking to
authenticate the user). The ID is usually the server domain, you can read more about it in
this blog.

#### user

```json
"user": {
      "displayName": "john.doe",
      "id": "dXNyLZ….DU10Tc",
      "name": "john@doe.com"
    }
```

The **user-attribute** contains data about the user account requesting
[attestation](https://www.corbado.com/glossary/attestation). The ID is a byte sequence chosen by the
[Relying Party](https://www.corbado.com/glossary/relying-party), that must not contain personal information. The
username or e-mail address is saved instead in the name or displayName attribute.

#### challenge

```json
"challenge": "888fix4Bus...pHHr3Y"
```

The **cryptographic challenge** is a randomly generated base64URL encoded BufferSource
that needs to be signed by the [authenticator](https://www.corbado.com/glossary/authenticator).

#### pubKeyCredParams

```json
"pubKeyCredParams": [
      {
        "alg": -7,
        "type": "public-key"
      },
      {
        "alg": -257,
        "type": "public-key"
      }
    ]
```

_pubKeyCredParams_ specifies attributes of the credential to be created, usually the
supported algorithm(s).

#### excludeCredentials

```json
"excludeCredentials": []
```

**excludeCredentials** is an optional list of disallowed credentials to limit the creation
of multiple passkeys on one device. Read more about it in this article.

#### authenticatorSelection

```json
"authenticatorSelection": {
      "authenticatorAttachment": "platform",
      "residentKey": "required",
      "userVerification": "required"
      }
```

**authenticatorSelection** is an optional selection of the used
[authenticator](https://www.corbado.com/glossary/authenticator) for the method, e.g. whether a residentKey is
required. See the this article for more information.

#### attestation and extensions

```json
"attestation": "none",
"extensions": []
```

- **attestation** can be used to request that the [attestation](https://www.corbado.com/glossary/attestation)
  object is passed on to the Relying Party in a specific form. Possible values are “none”
  (default), “indirect”, “direct” and “enterprise”

- **extensions** contains optional request(s) for additional processing, such as specific
  return values. e.g.
    - **credProbs** requests information on whether the created credential is discoverable
    - **prf** allows the Relying Party to use outputs from a
      [pseudo-random function](https://www.corbado.com/blog/passkeys-prf-webauthn) (PRF) associated with a
      credential

‍
---

## PublicKeyCredentialCreationOptions FAQs

### What role do PublicKeyCredentialCreationOptions play in WebAuthn?

They are essential for registering credentials, managing challenges, and ensuring secure
user-device connections.

### Can PublicKeyCredentialCreationOptions be customized for different authentication requirements?

Yes, they offer extensive customization options like timeout settings and authenticator
selection criteria to meet diverse security needs.

### What’s the difference between PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions?

They both are objects sent by the backend including a challenge for authentication, but
differ regarding their use case. PublicKeyCredentialCreationOptions are used for creating
a new credentials, while
[PublicKeyCredentialRequestOptions](https://www.corbado.com/glossary/publickeycredentialrequestoptions) are used
for the authentication process with an existing credential.