WebAuthn requires JavaScript to interact with authenticators in the browser. This page explains the client-side implementation using the WebAuthn Browser API and recommended libraries.
Browser API Overview
The WebAuthn specification provides two main JavaScript APIs:
navigator.credentials.create() - Register a new authenticator (attestation)
navigator.credentials.get() - Authenticate with a registered authenticator (assertion)
Both APIs are asynchronous and return Promises that resolve with credential objects.
HTTPS Requirement
HTTPS is mandatory for WebAuthn to work. This applies to all domains, including localhost. The only exception is localhost in some browsers during development, but production environments must always use HTTPS.
Modern browsers enforce this requirement to prevent credential theft and man-in-the-middle attacks.
Simplifies the WebAuthn API with easy-to-use functions
Handles base64url encoding/decoding automatically
Provides TypeScript type definitions
Is fully compliant with the WebAuthn specification
Works with any server implementation
Installation:
Symfony UX Stimulus Controller
If you're using Symfony, the Stimulus Controller provides seamless integration with forms and authentication workflows without writing JavaScript code.
Registration (Attestation) Flow
Using Native Browser API
Using @simplewebauthn/browser
Authentication (Assertion) Flow
Using Native Browser API
Using @simplewebauthn/browser
Base64URL Encoding/Decoding
If you're using the native API without a library, you need helper functions for base64url encoding:
The @simplewebauthn/browser library handles all encoding/decoding automatically, which is why we recommend it.
Error Handling
WebAuthn operations can fail for various reasons. Always wrap calls in try-catch blocks:
Common Error Types
Error Name
Description
Common Cause
NotAllowedError
User cancelled the operation or timeout
User cancelled prompt, 60-second timeout exceeded
InvalidStateError
Invalid state for operation
Authenticator already registered for this account
NotSupportedError
Operation not supported
Browser doesn't support WebAuthn or specific features
SecurityError
Security requirements not met
Not using HTTPS, invalid origin/RP ID
AbortError
Operation aborted
Explicitly cancelled by application code
Browser Compatibility
WebAuthn is supported in modern browsers:
✅ Chrome 67+
✅ Firefox 60+
✅ Safari 13+ (iOS and macOS)
✅ Edge 18+
✅ Opera 54+
Always check for WebAuthn support before attempting registration or authentication:
Browser Autofill / Conditional UI
Modern browsers support autofill for WebAuthn credentials, allowing users to select passkeys from password autofill:
For Symfony UX users, enable this with the useBrowserAutofill option in the Stimulus controller configuration.
Development Setup
Local HTTPS
For development with HTTPS on localhost:
Option 1: Use mkcert (Recommended)
Option 2: Symfony CLI (for Symfony projects)
The Symfony CLI automatically sets up HTTPS for local development.
import { startAuthentication } from '@simplewebauthn/browser';
try {
const response = await startAuthentication(options);
// Success
} catch (error) {
// Handle different error types
if (error.name === 'NotAllowedError') {
alert('Operation cancelled or timed out');
} else if (error.name === 'InvalidStateError') {
alert('Authenticator already registered');
} else if (error.name === 'NotSupportedError') {
alert('WebAuthn not supported in this browser');
} else if (error.name === 'AbortError') {
alert('Operation was aborted');
} else {
alert('Authentication failed: ' + error.message);
}
}
if (!window.PublicKeyCredential) {
alert('WebAuthn is not supported in this browser');
// Show fallback authentication method
return;
}
// Optional: Check for specific features
if (window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable) {
const available = await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
if (available) {
console.log('Platform authenticator (Touch ID, Face ID, Windows Hello) available');
}
}
// Check if conditional UI is available
const conditionalUIAvailable = await PublicKeyCredential.isConditionalMediationAvailable();
if (conditionalUIAvailable) {
// Add 'conditional' mediation to allow autofill
const credential = await navigator.credentials.get({
publicKey: options,
mediation: 'conditional' // Enable autofill UI
});
}
# Install mkcert
brew install mkcert # macOS
# or apt install mkcert # Linux
# Create local CA
mkcert -install
# Generate certificate for localhost
mkcert localhost 127.0.0.1 ::1
