{ "$defs": { "AuthenticationExtensions": { "description": "Contains additional parameters requesting additional processing by the client and authenticator.eslint-disable-next-line @typescript-eslint/no-explicit-any" }, "AuthenticationExtensionsClientOutputs": { "description": "Contains the results of processing client extensions requested by the Relying Party.eslint-disable-next-line @typescript-eslint/no-explicit-any" }, "Authenticator": { "description": "Represents the user's authenticator device.", "properties": { "AAGUID": { "description": "Identifies the type (e.g. make and model) of the authenticator." }, "signCount": { "description": "{@link WebAuthn4JS.finishLogin} compares the stored signature counter value with the new `signCount` value returned in the assertion’s authenticator data. If this new `signCount` value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning." }, "cloneWarning": { "description": "This is a signal that the authenticator may be cloned, i.e. at least two copies of the credential private key may exist and are being used in parallel. Relying Parties (applications) should incorporate this information into their risk scoring. Whether the Relying Party updates the stored signature counter value in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific." }, "attachment": { "description": "The {@link AuthenticatorSelection.authenticatorAttachment} value returned by the request.", "$ref": "#/$defs/AuthenticatorAttachment" } } }, "AuthenticatorAssertionResponse": { "description": "Contains the raw authenticator assertion data, used to verify the authenticity of the login ceremony and the used credential.", "properties": { "clientDataJSON": { "description": "Contains a JSON serialization of the client data passed to the authenticator by the browser in its call to navigator.credentials.get()." }, "authenticatorData": { "description": "Serialized bindings made by the authenticator, such as ID of the Relying Party that the credential is meant for, whether the user is present and the signature count." }, "signature": { "description": "The raw signature returned from the authenticator." }, "userHandle": { "description": "Contains the Relying Party's ID for the user" } } }, "AuthenticatorAttestationResponse": { "description": "Contains the raw authenticator attestation data, used to verify the authenticy of the registration ceremony and the new credential.", "properties": { "clientDataJSON": { "description": "Contains a JSON serialization of the client data passed to the authenticator by the browser in its call to navigator.credentials.create()." }, "attestationObject": { "description": "This attribute contains an attestation object, which is opaque to, and cryptographically protected against tampering by, the browser. The attestation object contains both authenticator data and an attestation statement. The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the attestation statement are determined by the attestation statement format used by the authenticator. It also contains any additional information that the Relying Party's server requires to validate the attestation statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data." }, "transports": { "description": "These values are the transports that the authenticator is believed to support, or an empty sequence if the information is unavailable." } } }, "AuthenticatorSelection": { "description": "Use this class to specify requirements regarding authenticator attributes.", "properties": { "authenticatorAttachment": { "description": "If this member is present, eligible authenticators are filtered to only authenticators attached by the specified mechanism.", "$ref": "#/$defs/AuthenticatorAttachment" }, "requireResidentKey": { "description": "Describes the Relying Party's requirements regarding resident credentials. If present and set to `true`, the authenticator MUST create a client-side-resident public key credential source when creating a public key credential.", "default": false }, "residentKey": { "description": "Specifies the extent to which the Relying Party desires to create a client-side discoverable credential. For historical reasons the naming retains the deprecated “resident” terminology." }, "userVerification": { "description": "Describes the Relying Party's requirements regarding user verification for the `navigator.credentials.create()` or `navigator.credentials.get()` operation. Eligible authenticators are filtered to only those capable of satisfying this requirement.", "$ref": "#/$defs/UserVerificationRequirement" } } }, "Config": { "description": "Configuration and default values for the {@link WebAuthn4JS} instance.", "properties": { "RPID": { "description": "A valid domain that identifies the Relying Party. A credential can only by used with the same enity (as identified by the `RPID`) it was registered with." }, "RPDisplayName": { "description": "Friendly name for the Relying Party (application). The browser may display this to the user." }, "RPOrigins": { "description": "Configures the list of Relying Party Server Origins that are permitted. These should be fully qualified origins." }, "AttestationPreference": { "description": "Preferred attestation conveyance during credential generation", "$ref": "#/$defs/ConveyancePreference" }, "AuthenticatorSelection": { "description": "Login requirements for authenticator attributes." }, "Debug": { "description": "Enables various debug options." }, "EncodeUserIDAsString": { "description": "Ensures the user.id value during registrations is encoded as a raw UTF8 string. This is useful when you only use printable ASCII characters for the random user.id but the browser library does not decode the URL Safe Base64 data." }, "Timeouts": { "description": "Configures various timeouts." }, "RPIcon": { "description": "@deprecated This option has been removed from newer specifications due to security considerations." }, "RPOrigin": { "description": "@deprecated Use RPOrigins instead." }, "Timeout": { "description": "@deprecated Use Timeouts instead." } }, "required": [ "RPID", "RPDisplayName", "RPOrigins" ] }, "Credential": { "description": "Contains all needed information about a WebAuthn credential for storage.", "properties": { "id": { "description": "A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions." }, "publicKey": { "description": "The public key portion of a Relying Party-specific credential key pair, generated by an authenticator and returned to a Relying Party at registration time." }, "attestationType": { "description": "The attestation format used (if any) by the authenticator when creating the credential." }, "transport": { "description": "The transport types the authenticator supports.", "items": { "$ref": "#/$defs/AuthenticatorTransport" } }, "flags": { "description": "The commonly stored flags." }, "authenticator": { "description": "The Authenticator information for a given certificate." } } }, "CredentialAssertion": { "description": "The payload that should be sent to the browser for beginning the login process.", "properties": { "publicKey": { "description": "Options for the browser to pass to `navigator.credentials.get()`." } } }, "CredentialAssertionResponse": { "description": "The raw response returned to us from an authenticator when we request a credential for login.", "properties": { "id": { "description": "The credential's identifier." }, "type": { "description": "Specifies the credential type represented by this object.", "$ref": "#/$defs/PublicKeyCredentialType" }, "rawId": { "description": "The credential's identifier. Since we base64-encode raw data, this is the same as `id`." }, "clientExtensionResults": { "description": "A map containing identifier -> client extension output entries produced by any extensions that may have been used during login." }, "authenticatorAttachment": { "description": "If this member is present, eligible authenticators are filtered to only authenticators attached by the specified mechanism.", "$ref": "#/$defs/AuthenticatorAttachment" }, "response": { "description": "The authenticator's response to the request to generate a login assertion." } } }, "CredentialCreation": { "description": "The payload that should be sent to the browser for beginning the registration process.", "properties": { "publicKey": { "description": "Options for the browser to pass to `navigator.credentials.create()`." } } }, "CredentialCreationResponse": { "description": "The raw response returned to us from an authenticator when we request a credential for registration.", "properties": { "id": { "description": "The credential's identifier." }, "type": { "description": "Specifies the credential type represented by this object.", "$ref": "#/$defs/PublicKeyCredentialType" }, "rawId": { "description": "The credential's identifier. Since we base64-encode raw data, this is the same as `id`." }, "clientExtensionResults": { "description": "A map containing identifier -> client extension output entries produced by any extensions that may have been used during registration." }, "authenticatorAttachment": { "description": "If this member is present, eligible authenticators are filtered to only authenticators attached by the specified mechanism.", "$ref": "#/$defs/AuthenticatorAttachment" }, "response": { "description": "The authenticator's response to the request to generate a registration attestation." }, "transports": { "description": "@deprecated Deprecated due to upstream changes to the API. Use {@link AuthenticatorAttestationResponse.transports} instead." } } }, "CredentialDescriptor": { "description": "Specifies a credential for use by the browser when it calls `navigator.credentials.create()` or `navigator.credentials.get()`.", "properties": { "type": { "description": "Type of the credential to use.", "$ref": "#/$defs/CredentialType" }, "id": { "description": "The ID of a credential to allow/disallow." }, "transports": { "description": "The authenticator transports that can be used.", "items": { "$ref": "#/$defs/AuthenticatorTransport" } } } }, "CredentialFlags": { "description": "Flags associated with a credential", "properties": { "userPresent": { "description": "Indicates the users presence." }, "userVerified": { "description": "Indicates the user performed verification." }, "backupEligible": { "description": "Indicates the credential is able to be backed up and/or sync'd between devices. This should NEVER change." }, "backupState": { "description": "Indicates the credential has been backed up and/or sync'd. This value can change but it's recommended that RP's keep track of this value." } } }, "CredentialParameter": { "description": "The credential type and algorithm that the Relying Party wants the authenticator to create.", "properties": { "type": { "description": "Type of the credential to use.", "$ref": "#/$defs/CredentialType" }, "alg": { "description": "Algorithm to use, see the [IANA CBOR COSE Algorithms Registry](https://www.iana.org/assignments/cose/cose.xhtml#algorithms).", "$ref": "#/$defs/COSEAlgorithmIdentifier" } } }, "PublicKeyCredentialCreationOptions": { "description": "Parameters for `navigator.credentials.create()`.", "properties": { "rp": { "description": "Data about the Relying Party responsible for the request (i.e. your application)" }, "user": { "description": "Data about the user account for which the Relying Party is requesting attestation." }, "challenge": { "description": "A challenge intended to be used for generating the newly created credential’s attestation." }, "pubKeyCredParams": { "description": " Information about the desired properties of the credential to be created. The sequence is ordered from most preferred to least preferred. The browser makes a best-effort to create the most preferred credential that it can." }, "timeout": { "description": "Specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and may be overridden by the browser." }, "excludeCredentials": { "description": "This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same account on a single authenticator. The browser is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter." }, "authenticatorSelection": { "description": "Registration requirements for authenticator attributes." }, "attestation": { "description": "This member is intended for use by Relying Parties that wish to express their preference for attestation conveyance.", "$ref": "#/$defs/ConveyancePreference" }, "extensions": { "description": "Additional parameters requesting additional processing by the browser and authenticator. For example, the caller may request that only authenticators with certain capabilities be used to create the credential, or that particular information be returned in the attestation object. Some extensions are defined in [WebAuthn Extensions](https://www.w3.org/TR/webauthn/#extensions); consult the IANA \"WebAuthn Extension Identifier\" registry established by [WebAuthn-Registries](https://tools.ietf.org/html/draft-hodges-webauthn-registries) for an up-to-date list of registered WebAuthn Extensions." } } }, "PublicKeyCredentialRequestOptions": { "description": "Parameters for `navigator.credentials.get()`.", "properties": { "challenge": { "description": "A challenge that the selected authenticator signs, along with other data, when producing a login assertion." }, "timeout": { "description": "Specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and may be overridden by the browser." }, "rpId": { "description": "Specifies the Relying Party identifier claimed by the application. If omitted, its value will be the application's origin's effective domain." }, "allowCredentials": { "description": "A list of public key credentials acceptable to the caller, in descending order of preference (the first item in the list is the most preferred credential, and so on down the list)." }, "userVerification": { "description": "Describes the Relying Party's requirements regarding user verification for the `navigator.credentials.get()` operation. Eligible authenticators are filtered to only those capable of satisfying this requirement.", "$ref": "#/$defs/UserVerificationRequirement" }, "extensions": { "description": "Additional parameters requesting additional processing by the browser and authenticator. For example, if transaction confirmation is sought from the user, then the prompt string might be included as an extension." } } }, "RelyingPartyEntity": { "description": "Used to supply additional Relying Party attributes when creating a new credential.", "properties": { "name": { "description": "A human-palatable identifier for the Relying Party, intended only for display." }, "icon": { "description": "A URL which resolves to an image associated with the Relying Party, for example its logo." }, "id": { "description": "A unique identifier for the Relying Party." } } }, "SessionData": { "description": "Data that should be stored securely (anti-tamper) by the Relying Party for the duration of the registration or login ceremony.", "properties": { "challenge": { "description": "Challenge that was sent to the browser." }, "user_id": { "description": "ID of the user being registered or logged in." }, "allowed_credentials": { "description": "Credentials allowed in this login or registration ceremony." }, "expires": { "description": "When this data expires" }, "userVerification": { "description": "Required user verification in this login or registration ceremony.", "$ref": "#/$defs/UserVerificationRequirement" }, "extensions": { "description": "Contains additional parameters requesting additional processing by the client and authenticator." } } }, "TimeoutConfig": { "description": "Represents the WebAuthn timeouts configuration for either registration or login.", "properties": { "Enforce": { "description": "Enforce the timeouts at the Relying Party / Server. This means if enabled and the user takes too long that even if the browser does not enforce the timeout the Relying Party / Server will." }, "Timeout": { "description": "The timeout in nanoseconds for logins/registrations when the UserVerificationRequirement is set to anything other than discouraged." }, "TimeoutUVD": { "description": "The timeout in nanoseconds for logins/registrations when the UserVerificationRequirement is set to discouraged." } } }, "TimeoutsConfig": { "description": "Represents the WebAuthn timeouts configuration.", "properties": { "Login": { "description": "Timeouts for login." }, "Registration": { "description": "Timeouts for registration." } } }, "URLEncodedBase64": { "description": "URL-encoded base64 data." }, "User": { "description": "Represents an application (Relying Party) user.", "properties": { "id": { "description": "User ID according to the Relying Party." }, "name": { "description": "User Name according to the Relying Party." }, "displayName": { "description": "Display Name of the user." }, "iconURL": { "description": "@deprecated This has been removed from the specification recommendation. Suggest a blank string." }, "credentials": { "description": "Credentials owned by the user." } } }, "UserEntity": { "description": "Supplies additional user account attributes when creating a new credential.", "properties": { "name": { "description": "A human-palatable identifier for the user account, intended only for display to aid the user in determining the difference between user accounts with similar `displayName`s." }, "icon": { "description": "@deprecated This has been removed from the specification recommendations." }, "displayName": { "description": "A human-palatable name for the user account, intended only for display." }, "id": { "description": "The user handle of the user account. *//* eslint-disable-next-line @typescript-eslint/no-explicit-any" } } }, "AuthenticatorAttachment": { "anyOf": [{ "$ref": "#/$defs/PlatformAttachment" }, { "$ref": "#/$defs/CrossPlatformAttachment" }] }, "PlatformAttachment": { "const": "platform", "description": "A platform authenticator is attached using a client device-specific transport, called platform attachment, and is usually not removable from the client device. A public key credential bound to a platform authenticator is called a platform credential." }, "CrossPlatformAttachment": { "const": "cross-platform", "description": "A roaming authenticator is attached using cross-platform transports, called cross-platform attachment. Authenticators of this class are removable from, and can \"roam\" among, client devices. A public key credential bound to a roaming authenticator is called a roaming credential." }, "UserVerificationRequirement": { "anyOf": [{ "$ref": "#/$defs/UserVerificationRequired" }, { "$ref": "#/$defs/UserVerificationPreferred" }, { "$ref": "#/$defs/UserVerificationDiscouraged" }], "default": { "$ref": "#/$defs/UserVerificationPreferred" } }, "UserVerificationRequired": { "const": "required", "description": "User verification is required to create/use a credential." }, "UserVerificationPreferred": { "const": "preferred", "description": "User verification is preferred to create/use a credential. This is the default if no user verification requirement is specified." }, "UserVerificationDiscouraged": { "const": "discouraged", "description": "The authenticator should not verify the user for the credential." }, "ConveyancePreference": { "anyOf": [{ "$ref": "#/$defs/PreferNoAttestation" }, { "$ref": "#/$defs/PreferIndirectAttestation" }, { "$ref": "#/$defs/PreferDirectAttestation" }, { "$ref": "#/$defs/PreferEnterpriseAttestation" }], "default": { "$ref": "#/$defs/PreferNoAttestation" } }, "PreferNoAttestation": { "description": "Indicates that the Relying Party is not interested in authenticator attestation. For example, in order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a roundtrip to an Attestation CA. This is the default if no attestation conveyance is specified.", "const": "none" }, "PreferIndirectAttestation": { "description": "Indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA, in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem.", "const": "indirect" }, "PreferDirectAttestation": { "description": "Indicates that the Relying Party wants to receive the attestation statement as generated by the authenticator.", "const": "direct" }, "PreferEnterpriseAttestation": { "description": "Indicates that the Relying Party wants to receive an attestation statement that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested RP ID. If permitted, the user agent SHOULD signal to the authenticator (at invocation time) that enterprise attestation is requested, and convey the resulting AAGUID and attestation statement, unaltered, to the Relying Party.", "const": "enterprise" }, "CredentialType": { "$ref": "#/$defs/PublicKeyCredentialType" }, "PublicKeyCredentialType": { "description": "Credential type for WebAuthn.", "const": "public-key" }, "COSEAlgorithmIdentifier": { "anyOf":[{ "$ref": "#/$defs/AlgES256" }, { "$ref": "#/$defs/AlgES384" }, { "$ref": "#/$defs/AlgES512" }, { "$ref": "#/$defs/AlgRS1" }, { "$ref": "#/$defs/AlgRS256" }, { "$ref": "#/$defs/AlgRS384" }, { "$ref": "#/$defs/AlgRS512" }, { "$ref": "#/$defs/AlgPS256" }, { "$ref": "#/$defs/AlgPS384" }, { "$ref": "#/$defs/AlgPS512" }, { "$ref": "#/$defs/AlgEdDSA" }, { "$ref": "#/$defs/AlgES256K" }] }, "AlgES256": { "description": "ECDSA with SHA-256", "const": -7 }, "AlgES384": { "description": "ECDSA with SHA-384", "const": -35 }, "AlgES512": { "description": "ECDSA with SHA-512", "const": -36 }, "AlgRS1": { "description": "RSASSA-PKCS1-v1_5 with SHA-1", "const": -65535 }, "AlgRS256": { "description": "RSASSA-PKCS1-v1_5 with SHA-256", "const": -257 }, "AlgRS384": { "description": "RSASSA-PKCS1-v1_5 with SHA-384", "const": -258 }, "AlgRS512": { "description": "RSASSA-PKCS1-v1_5 with SHA-512", "const": -259 }, "AlgPS256": { "description": "RSASSA-PSS with SHA-256", "const": -37 }, "AlgPS384": { "description": "RSASSA-PSS with SHA-384", "const": -38 }, "AlgPS512": { "description": "RSASSA-PSS with SHA-512", "const": -39 }, "AlgEdDSA": { "description": "EdDSA", "const": -8 }, "AlgES256K": { "description": "ECDSA using secp256k1 curve and SHA-256.", "const": -47 }, "AuthenticatorTransport": { "anyOf": [{ "$ref": "#/$defs/TransportUSB" }, { "$ref": "#/$defs/TransportNFC" }, { "$ref": "#/$defs/TransportBLE" }, { "$ref": "#/$defs/TransportHybrid" }, { "$ref": "#/$defs/TransportInternal" }] }, "TransportUSB": { "description": "Indicates the respective authenticator can be contacted over removable USB", "const": "usb" }, "TransportNFC": { "description": "Indicates the respective authenticator can be contacted over Near Field Communication (NFC).", "const": "nfc" }, "TransportBLE": { "description": "Indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).", "const": "ble" }, "TransportHybrid": { "description": "Indicates the respective authenticator can be contacted using a combination of (often separate) data-transport and proximity mechanisms. This supports, for example, authentication on a desktop computer using a smartphone.", "const": "hybrid" }, "TransportInternal": { "description": "Indicates the respective authenticator is contacted using a client device-specific transport, i.e., it is a platform authenticator. These authenticators are not removable from the client device.", "const": "internal" } } }