WebAuthn / Passkey Test Tool - Browser-Side Registration and Authentication Inspector

First Published:
Last Updated:

This tool runs the WebAuthn API in your browser and shows the raw response. It does not verify signatures server-side. RP ID is fixed to the page origin.

  • This tool is provided "AS IS" without any warranties of any kind.
  • The author accepts no responsibility for any security issues arising from credential creation, storage, or use.
  • This tool is for debugging and learning. It does NOT validate attestation statements or assertion signatures.
  • Registered credential IDs are stored in your browser's LocalStorage only. They are never transmitted to any server.
  • By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Detecting WebAuthn support...
Detecting platform authenticator...
Locked to the current page origin's effective domain. WebAuthn rejects mismatched RP IDs with a SecurityError.
Returned to the relying party as userHandle on subsequent assertions.
A discoverable credential (resident key) lets the authenticator return the credential without an allow-list.
Leave blank to inherit the Registration tab timeout value (default 60000 ms).
Leave all unchecked to omit allowCredentials and let the authenticator pick a discoverable credential (passkey usernameless flow).

Credentials registered through this tool are stored in your browser's LocalStorage under webauthn_passkey_test_credentials. Deleting an entry here only removes the metadata from this device — it does not remove the passkey from your authenticator.


Features

  • Registration Flow: Calls navigator.credentials.create() with configurable RP, user, attachment, user verification, attestation conveyance, resident key, and COSE algorithm parameters (ES256 / RS256 / EdDSA).
  • Authentication Flow: Calls navigator.credentials.get() with optional allowCredentials drawn from previously-registered credentialIds, or empty for the discoverable-credential (usernameless / passkey) flow.
  • attestationObject CBOR Decoder: In-house RFC 8949 subset CBOR decoder extracts fmt, attStmt, and the authData byte string with no external dependency.
  • authenticatorData Parser: Surfaces rpIdHash, all six flag bits (UP / UV / BE / BS / AT / ED), signCount, AAGUID (formatted as a UUID), credentialId, and the embedded COSE_Key public key.
  • COSE_Key Analysis: Decodes kty, alg, crv, and the EC2 (x, y) or RSA (n, e) coordinates to readable hex.
  • Assertion Inspector: Parses clientDataJSON, the assertion authenticatorData, returns signature and userHandle in hex and Base64URL.
  • LocalStorage Credential History: Persists registered credentialId, AAGUID, algorithm, transports, and user metadata locally so that subsequent authentication runs can reference them.
  • Platform Authenticator Detection: Calls PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() on load.
  • Privacy First: No fetch(), no XMLHttpRequest, no telemetry — only the WebAuthn API talks to the OS authenticator. Nothing is uploaded.
  • Works Offline: After the first load the page (and its single JS file) functions without an internet connection.
  • Zero Dependencies: Vanilla JavaScript, including the CBOR decoder and Base64URL helpers.
  • Extensions: Currently this tool exercises the credProps extension only. PRF, largeBlob, and uvm extensions are out of scope for this version — see the WebAuthn spec for full extension semantics.

How to Use

  1. Open the Registration tab. Adjust the RP / user / authenticator parameters, or accept the defaults.
  2. Click "Run navigator.credentials.create()". Your platform's biometric / PIN / security key prompt will appear.
  3. Inspect the result. The summary, decoded clientDataJSON, attestationObject (CBOR), parsed authenticatorData, AAGUID, credentialId, and COSE public key all render below the form.
  4. Switch to the Authentication tab. Tick the credential you just registered (or leave the list empty for a usernameless passkey flow).
  5. Click "Run navigator.credentials.get()". Authenticate with your device, then inspect the assertion's authenticatorData, signature, and userHandle.
  6. Review Saved Credentials. The third tab lists every credential saved in this browser's LocalStorage with full metadata, an Export-as-JSON action, and per-credential delete buttons.

Important Notes

  • The tool requires a modern browser supporting ES2015+ classes and async/await (Chrome 67+, Firefox 60+, Safari 13+, Edge 79+). Older browsers and embedded WebViews may show a JavaScript syntax error before the WebAuthn availability check fires.
  • The tool runs WebAuthn against the page's own origin. Production passkey deployments typically use a different RP ID — do not use this tool to debug another site's passkeys.
  • Browsers require a secure context for WebAuthn: HTTPS or http://localhost. The tool detects insecure contexts and disables the action buttons.
  • This tool does not verify attestation statements (e.g., packed, fido-u2f, tpm, android-key) or assertion signatures. Production relying parties must perform that verification on a trusted server.
  • FIDO Metadata Service (MDS) lookup of AAGUIDs is intentionally out of scope — only the raw AAGUID UUID is shown.
  • The signCount shown in the parsed authenticatorData is informational. Some authenticators (notably most Apple platform authenticators) always return zero.
  • Registering a "discoverable credential" (resident key) consumes a slot on roaming security keys; check your authenticator's capacity before bulk-testing.
  • Deleting a credential from this tool removes only the LocalStorage entry. Use your operating system / browser settings (or the authenticator vendor's manager) to delete the actual passkey.
  • If the same authenticator is asked to register a credential it has already issued for this RP / user, the WebAuthn spec returns InvalidStateError — this is the expected behavior, not a bug.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi