Introduction to server-side passkey implementation

Overview

When using synchronized passkeys, people authenticate with a passkey provider.

To create and authenticate with passkeys, you will use the WebAuthn API for the web, or the Credential Manager API for Android apps. These APIs handle the communication between the client and the passkey provider.

While these APIs are called from a client such as a web page or Android app, you need to implement the rest of the functionality on the server to complete your authentication use cases.

A passkey implementation consists of two functionalities:

1. Passkey registration. Use the WebAuthn API or the Credential Manager API to let the user create a passkey. Store the associated public key on the server.
2. Authentication with a passkey. Get an authentication challenge from the server and use the WebAuthn API or Credential Manager API to let the user sign this challenge with their passkey. Verify the signature on the server. If the signature is valid, authenticate the user.

Server-side libraries

While it's possible to implement server-side passkeys functionality from scratch, we recommend that you rely on a library instead.

A server that supports passkey creation and authentication is called a FIDO2 server, or FIDO server for short. By extension, we'll refer here to server-side libraries that implement passkey support as FIDO server-side libraries.

Why use a library?

Using a FIDO server-side library has several advantages:

• Time and developer experience. The WebAuthn specification is complex. FIDO server-side libraries can provide simple APIs for implementing passkeys, which can save you time and development resources.
• Maintainability. The WebAuthn specification is still subject to change. Using the latest version of an actively maintained library helps keep your implementation up-to-date.
• Security and compliance. You want your passkey implementation to conform to the WebAuthn specification and its security requirements. FIDO server-side libraries can help you keep your implementation secure and compliant with the specification. Depending on your product and industry, your implementation may also be subject to regulations that require you to use specific security standards for authentication.

If possible, consider financially supporting open source projects your product relies on.

Libraries

• The awesome-webauthn GitHub repository includes a community-curated list of server-side libraries. You'll find libraries for JavaScript and TypeScript, Go, Python, and more.
• A collection of libraries is available on passkeys.dev. It's maintained by the W3C WebAuthn Adoption Community Group.
• FIDO Alliance references a collection of FIDO2 servers.

Next up

• Server-side passkey registration
• Server-side passkey authentication