WebAuthn Passkey Tester (Register + Verify)

Test the WebAuthn / passkey API locally. Click Register to invoke the browser's credential creation flow (Touch ID, Windows Hello, security key, etc.); the tool shows the attestation object, client data JSON, and credential ID it returns. Click Authenticate to verify the credential is valid. Useful when prototyping a passwordless auth flow.

All credentials stored in your browser only. This tool does not communicate with any server; in a real WebAuthn flow, the server validates the attestation and stores the credential public key.

How to use the WebAuthn Passkey Tester (Register + Verify)

Click Register passkey. Your browser prompts to create a new credential (Touch ID, Face ID, Windows Hello, USB security key, etc.). The tool stores the credential ID in localStorage and shows you the attestation object. Click Authenticate to invoke the assertion flow with that credential — you'll see the signature, authenticator data, and client data JSON. Useful for prototyping or learning the WebAuthn API.

Testing passkeys and the WebAuthn API

WebAuthn is the browser API behind passkeys and hardware security keys. Instead of a password, the user's device holds a private key and the website stores only the matching public key. Registration (the create ceremony) makes a new keypair and returns an attestation describing the authenticator; authentication (the get ceremony) signs a server challenge with that private key, proving possession without anything secret crossing the network. The private key never leaves the authenticator — your Touch ID sensor, Windows Hello, or USB key.

This tester drives both ceremonies locally so you can watch what the API returns: the attestation object and client data JSON from registration, and the signature and authenticator data from authentication. It stores the credential only in your browser and talks to no server, which makes it a hands-on way to learn the flow or sanity-check that passkeys work on your device before you build the server side.

Common use cases

  • Learning WebAuthn — trigger the real registration and assertion ceremonies and inspect what each returns.
  • Device checks — confirm Touch ID, Windows Hello, or a security key works as a passkey in your browser.
  • Prototyping — explore the API shape before committing to a server-side implementation.
  • Debugging — examine the attestation object and client data when a passkey integration misbehaves.
  • Demonstrating passwordless auth — show colleagues how a passkey registers and signs in without a password.

Frequently asked questions

Where is the passkey private key stored?

On the authenticator — your phone or laptop's secure hardware, or a USB security key. It never leaves the device; only the public key and signatures are ever shared, which is what makes passkeys phishing-resistant.

Does this tool send anything to a server?

No. Everything runs in your browser and the credential ID is kept in local storage. In a real deployment a server would generate the challenge, verify the attestation, and store the public key.

What is the difference between registration and authentication?

Registration creates a new credential and returns an attestation the server records. Authentication uses an existing credential to sign a fresh challenge, proving the user still holds the private key. The tester does both, in that order.

What is the attestation object?

It is the registration result describing the new credential — the public key, a credential ID, and optionally a statement about the authenticator's make and model that a server can check against a policy.
Embed this tool on your site

Free to embed, no attribution required (but appreciated). Paste this where you want the tool to appear: