PHPackages                             firehed/webauthn - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. firehed/webauthn

ActiveLibrary[Security](/categories/security)

firehed/webauthn
================

Support passkeys and Web Authentication

0.9.1(3mo ago)207.7k↓11.7%3[13 issues](https://github.com/Firehed/webauthn-php/issues)[5 PRs](https://github.com/Firehed/webauthn-php/pulls)MITPHPPHP ^8.2CI passing

Since Aug 9Pushed 2mo ago3 watchersCompare

[ Source](https://github.com/Firehed/webauthn-php)[ Packagist](https://packagist.org/packages/firehed/webauthn)[ GitHub Sponsors](https://github.com/sponsors/Firehed)[ Fund](https://www.snapauth.app)[ RSS](/packages/firehed-webauthn/feed)WikiDiscussions main Synced yesterday

READMEChangelog (2)Dependencies (16)Versions (15)Used By (0)

Web Authentication for PHP
==========================

[](#web-authentication-for-php)

A way to move beyond passwords

[![Test](https://github.com/Firehed/webauthn-php/actions/workflows/test.yml/badge.svg)](https://github.com/Firehed/webauthn-php/actions/workflows/test.yml)[![Static analysis](https://github.com/Firehed/webauthn-php/actions/workflows/static-analysis.yml/badge.svg)](https://github.com/Firehed/webauthn-php/actions/workflows/static-analysis.yml)[![Lint](https://github.com/Firehed/webauthn-php/actions/workflows/lint.yml/badge.svg)](https://github.com/Firehed/webauthn-php/actions/workflows/lint.yml)[![codecov](https://camo.githubusercontent.com/9fdce3ead7dc988df0daf8def705766cc59a1d561521d265f08dc11c6b97cb83/68747470733a2f2f636f6465636f762e696f2f67682f466972656865642f776562617574686e2d7068702f6272616e63682f6d61696e2f67726170682f62616467652e7376673f746f6b656e3d7872363979687443426c)](https://codecov.io/gh/Firehed/webauthn-php)

Support Passkeys and WebAuthn in your PHP app
---------------------------------------------

[](#support-passkeys-and-webauthn-in-your-php-app)

This library will help you get your PHP app ready to support passkeys and WebAuthn. It handles the processing and cryptographic verification of client data, and assists with credential storage and retrieval.

There's a non-trivial amount of client-side work to also perform. Numerous examples are provided, but you'll want to be familiar with the WebAuthn spec and browser APIs.

Tip

Want a hosted option? [SnapAuth](https://www.snapauth.app?utm_source=github&utm_campaign=library&utm_content=webauthn-php) will have you up and running in minutes. Both client and server integrations are handled for you in just a couple lines of code.

What is Web Authentication?
---------------------------

[](#what-is-web-authentication)

Web Authentication, frequently referenced as `WebAuthn`, is a set of technologies and APIs to provide user authentication using modern cryptography. Instead of passwords and hashing, WebAuthn allows users to generate encryption keypairs, provide the public key to the server, and authenticate by signing server-generated challenges using the private key that never leaves their possession.

This means that servers *never touch sensitive data* and *cannot leak authentication information* should a breach ever occur. This also means that users do not have to manage passwords for individual websites, and can instead rely on tools provided by operating systems, browsers, and hardware security keys.

Using this library: A Crash Course
----------------------------------

[](#using-this-library-a-crash-course)

This will cover the basic workflows for integrating this library to your web application.

Note

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 \[RFC2119\] \[RFC8174\] when, and only when, they appear in all capitals, as shown here.

### Sample Code

[](#sample-code)

There's a complete set of working examples in the [`examples`](examples) directory. Application logic is kept to a bare minimum in order to highlight the most important workflow steps.

### Install

[](#install)

```
composer require firehed/webauthn
```

### Setup

[](#setup)

Create a `RelyingPartyInterface` instance. See [Relying Party](#relying-parties) for more information about selecting an implementation.

```
$rp = new \Firehed\WebAuthn\SingleOriginRelyingParty('https://www.example.com');
```

Also create a `ChallengeManagerInterface`. This will store and validate the one-time use challenges that are central to the WebAuthn protocol. See the [Challenge Management](#challenge-management) section below for more information.

```
session_start();
$challengeManager = new \Firehed\WebAuthn\SessionChallengeManager();
```

Important

WebAuthn will only work in a "secure context". This means that the domain MUST run over `https`, with a sole exception for `localhost`. See https://developer.mozilla.org/en-US/docs/Web/Security/Secure\_Contexts for more info.

### Registering a WebAuthn credential to a user

[](#registering-a-webauthn-credential-to-a-user)

This step takes place either when a user is first registering, or later on to supplement or replace their password.

1. Create an endpoint that will return a new, random Challenge. Send it to the user as base64.

```
