PublicKeyCredentialRequestOptions is an important object in the WebAuthn standard,
used during the login with a credential. They are essential for the
navigator.credential.get() function, providing the necessary data to generate an
authentication assertion.
{ "publicKeyCredentialRequestOptions": { "challenge": "pT7HMA-…dFPHk", "timeout": 500, "rpId": "passkeys.eu", "userVerification": "preferred", "allowCredentials": [], "extensions": [] } }
Continue reading for a full breakdown of the components and workings of PublicKeyCredentialRequestOptions.
As shown in the flowchart for the login process, passing publicKeyCredentialRequestOptions to the Frontend is the first step by the Backend during authentication. A crucial part is the cryptographic challenge that is later signed by the authenticator.
Here's a quick explanation of all attributes, as specified in the WebAuthn specification.
"challenge": "pT7HMA-…dFPHk",
"timeout": 500,
"rpId": "passkeys.eu"
"userVerification": "preferred",
"allowCredentials": [],
"extensions": []
Corbado is the Authentication Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: where passkeys, passwords, OTP, social login and fallback journeys succeed, stall or fail, which devices and browsers create friction, and when an OS update silently breaks login. Two products: Corbado Observe layers process mining and observability across authentication journeys. Corbado Connect adds managed passkeys with analytics built in alongside your IDP. VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Table of Contents
Related Articles