Passkey Demo & WebAuthn Tester
Create a real passkey with the WebAuthn API, inspect the decoded credential, and sign in to watch every verification step a server would run. Everything happens locally in your browser with WebCrypto. No account needed, and nothing leaves your device.
Your data security is our top priority. Passkey creation, credential inspection, and signature verification all happen entirely in your browser using the WebAuthn and WebCrypto APIs. There is no backend, and this tool does not transmit or store anything outside of your device. See source code in: https://github.com/oursky/authgear-web
How the Passkey Demo Works
Step 1.
Choose Creation Options:
Pick authenticator attachment, user verification, resident key, attestation, and algorithms. The PublicKeyCredentialCreationOptions JSON updates live as you change them.
Step 2.
Create a Passkey:
The browser calls navigator.credentials.create() and your device prompts for Face ID, Touch ID, Windows Hello, or a security key.
Step 3.
Inspect the Credential:
The tool decodes clientDataJSON and CBOR-decodes the attestation object: flags, sign count, AAGUID (the authenticator model), credential ID, and the public key as JWK and PEM.
Step 4.
Sign In With It:
navigator.credentials.get() produces an assertion, either from your stored credential list or via the discoverable-credential flow with an empty allow-list.
Step 5.
Verify Like a Server:
Every check a real server runs gets a pass/fail badge with an explanation: ceremony type, challenge, origin, RP ID hash, flags, and the WebCrypto signature verification.
Ready to add passkeys to your own app? Read the developer guide to implementing passkeys
Supported Platforms
Passkeys work across every major platform and sync within each ecosystem. This demo runs in any browser with WebAuthn support.
Apple
iOS 16+ and macOS 13+. Face ID or Touch ID, synced via iCloud Keychain.
Android & Chrome
Android 9+. Fingerprint or screen lock, synced via Google Password Manager.
Windows
Windows 10 and 11. Windows Hello face, fingerprint, or PIN.
Password Managers
1Password, Bitwarden, Dashlane, Proton Pass and others store and sync passkeys cross-platform.
Security Keys
YubiKey and other FIDO2 hardware keys work via the cross-platform (USB/NFC) transport.
Ready to Ship Passkeys in Your Own App?
Authgear gives you passkey login out of the box, no WebAuthn plumbing required.
Explore Authgear Passkeys
What is WebAuthn?
WebAuthn (Web Authentication) is the W3C standard browser API behind passkeys. Instead of a shared password, your device creates a public/private key pair per site: the private key never leaves your authenticator, and the site stores only the public key. Sign-in is a challenge-response signature. Passkeys resist phishing because the browser binds every credential to the exact origin that created it. See our developer guide to implementing passkeys.
Is it safe to create a passkey here?
Yes. The passkey this page creates is real, but it is scoped to this site only and useful for nothing but this demo. The private key stays in your device’s authenticator; the public key and credential metadata are kept only in your browser’s localStorage. There is no server, so nothing is transmitted anywhere. You can delete the demo record with one click and remove the passkey itself from your device at any time.
How do I delete the demo passkey from my device?
“Forget” in the tool only removes this page’s record. To remove the passkey from your device:
iOS / macOS: Settings → Passwords (or the Passwords app) → find this site → delete the passkey.
Android / Chrome: Google Password Manager → Passwords → find this site → delete.
Windows: Settings → Accounts → Passkeys → find this site → remove.
Password managers (1Password, Bitwarden, …): find the item for this site and delete it there.
What is an AAGUID?
The AAGUID (Authenticator Attestation Globally Unique Identifier) is a 16-byte ID that identifies the authenticator model (say, Google Password Manager or a YubiKey 5), not your individual device. This tool resolves it against a bundled snapshot of the community-maintained passkey-authenticator-aaguids list. With attestation set to “none” (the default), many authenticators zero it out for privacy.
Why does the sign count show 0?
The signature counter was designed to detect cloned credentials: each use should increment it. But a synced passkey lives on several devices at once and can’t maintain one shared counter, so most passkey providers (iCloud Keychain, Google Password Manager) always report 0, meaning “counter not supported”. Hardware security keys usually do increment it.