Xefi
Laravel Passkey API
Advanced

WebAuthn

Core class handling all cryptographic WebAuthn operations in the Laravel Passkey API package.

The WebAuthn class is the core of the package. It handles all cryptographic operations: challenge generation, CBOR decoding, COSE key parsing, and OpenSSL signature verification.

Namespace: Xefi\LaravelPasskey\Webauthn\WebAuthn

You can resolve it from the service container or inject it directly if you need to use it in your own code:

use Xefi\LaravelPasskey\Webauthn\WebAuthn;

$webAuthn = app(WebAuthn::class);

Methods

generateRegisterOptions()

Generates the WebAuthn PublicKeyCredentialCreationOptions array.

public function generateRegisterOptions(
    string $app_name,
    string $app_url,
    string $user_id,
    string $email,
    string $display_name
): array

Returns an array compatible with the browser's navigator.credentials.create() API. The rpId is automatically extracted from $app_url using parse_url().

generateVerifyOptions()

Generates the WebAuthn PublicKeyCredentialRequestOptions array.

public function generateVerifyOptions(
    string $challenge,
    string $credential_id
): array

registerPasskey()

Validates the registration response from the browser and persists a new Passkey to the database.

public function registerPasskey(array $validated, \Illuminate\Database\Eloquent\Model $owner): Passkey

Internally calls get_data_for_register() to parse the attestation object and extract the credential ID and public key. The passkey is created via the polymorphic passkeys() relationship on $owner.

verifyPasskey()

Validates an authentication assertion from the browser against the stored public key.

public function verifyPasskey(string $credentialIdBase64Url, array $response): Passkey

Looks up the Passkey by credential_id, calls verify() to check the signature, and returns the Passkey instance on success. Throws PasskeyNotFoundException if the passkey is not found, or InvalidSignatureException if the signature is invalid.

verify()

Low-level signature verification. Decodes the COSE public key, builds the PEM, and verifies the OpenSSL signature.

public function verify(
    string $client_data_json,
    string $authenticator_data,
    string $signature,
    string $public_key
): void

Throws InvalidSignatureException if the signature is invalid. Supports ES256 (alg -7) and RS256 (alg -257).

The verify() method is designed for internal use. Prefer using verifyPasskey() which wraps it with credential lookup and error handling.

getDataForRegister()

Parses the attestation object and client data JSON to extract the credential ID and public key.

public function getDataForRegister(
    string $client_data_json,
    string $attestation_object
): array

Returns ['credential_id' => string, 'public_key' => string] (both base64-encoded). Validates that the clientData.type is webauthn.create.

parseAuthData()

Parses the binary authenticator data structure.

public function parseAuthData(string $auth_data): array

Returns an array with rp_id_hash, flags, sign_count, aaguid, credential_id, and public_key_cbor.

Passkey Model

The Passkey Eloquent model provided by the Laravel Passkey API package.

Auth Actions

Pluggable authentication actions that control what happens after a successful passkey login.