PHPackages r0073rr0r/laravel-webauthn - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. r0073rr0r/laravel-webauthn ActiveLibrary[Authentication & Authorization](/categories/authentication) r0073rr0r/laravel-webauthn ========================== Laravel Jetstream and Livewire package for WebAuthn authentication (biometrics, USB security keys, and passkeys) 1.2.15(6mo ago)6103MITPHPPHP >=8.2CI passing Since Nov 7Pushed 3mo ago1 watchersCompare [ Source](https://github.com/r0073rr0r/laravel-webauthn)[ Packagist](https://packagist.org/packages/r0073rr0r/laravel-webauthn)[ RSS](/packages/r0073rr0r-laravel-webauthn/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (2)Dependencies (10)Versions (5)Used By (0) Laravel – Jetstream Livewire WebAuthn Components ================================================ [](#laravel--jetstream-livewire-webauthn-components) [![Packagist Version](https://camo.githubusercontent.com/9e3245c737e8f336da42825b9fd3444e0ec7f2fc4cd7baa46fdc638eba2a431b/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7230303733727230722f6c61726176656c2d776562617574686e)](https://packagist.org/packages/r0073rr0r/laravel-webauthn)[![Total Downloads](https://camo.githubusercontent.com/abe5193e406ae1085cdb8727cb4b0b5afd14b57898467e1bd62d4db1fd6f966f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f7230303733727230722f6c61726176656c2d776562617574686e)](https://packagist.org/packages/r0073rr0r/laravel-webauthn)[![Monthly Downloads](https://camo.githubusercontent.com/ba7fbfe27ce42a4e62ace52b4e398700ec122508584c422d99ed6fd909da4359/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646d2f7230303733727230722f6c61726176656c2d776562617574686e)](https://packagist.org/packages/r0073rr0r/laravel-webauthn)[![PHP Version](https://camo.githubusercontent.com/f2c1370f5ceed13b6ebf94d46fe2ccc8a22d4d30b56bd58d4856d057090bda70/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f7230303733727230722f6c61726176656c2d776562617574686e)](https://packagist.org/packages/r0073rr0r/laravel-webauthn)[![License](https://camo.githubusercontent.com/706fa0b3387cf4a058877592b0267723aa74fcbe1b1119dad970f233b24cb8b4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f7230303733727230722f6c61726176656c2d776562617574686e)](https://packagist.org/packages/r0073rr0r/laravel-webauthn)[![GitHub Stars](https://camo.githubusercontent.com/085aa7f80d0adfc71ea836094cd33645104c0b30fb9af3bdc37589dbc80847a9/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f7230303733727230722f6c61726176656c2d776562617574686e3f7374796c653d736f6369616c)](https://github.com/r0073rr0r/laravel-webauthn/stargazers)[![GitHub Issues](https://camo.githubusercontent.com/7c450eaf09755123df248aa4f47f376972552f818d7200e7acb6420d8638fd00/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732f7230303733727230722f6c61726176656c2d776562617574686e)](https://github.com/r0073rr0r/laravel-webauthn/issues)[![GitHub Forks](https://camo.githubusercontent.com/eed4a5a017c0e8f34a6d009b3775789bd59389bb239a53e2cbdf52b58debf9e4/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f666f726b732f7230303733727230722f6c61726176656c2d776562617574686e3f7374796c653d736f6369616c)](https://github.com/r0073rr0r/laravel-webauthn/network)[![Tests](https://github.com/r0073rr0r/laravel-webauthn/actions/workflows/tests.yml/badge.svg)](https://github.com/r0073rr0r/laravel-webauthn/actions/workflows/tests.yml)[![CodeQL](https://github.com/r0073rr0r/laravel-webauthn/workflows/CodeQL/badge.svg)](https://github.com/r0073rr0r/laravel-webauthn/actions/workflows/codeql.yml)[![PHP Composer](https://github.com/r0073rr0r/laravel-webauthn/workflows/PHP%20Composer/badge.svg)](https://github.com/r0073rr0r/laravel-webauthn/actions/workflows/codeql.yml) A **Laravel** package that integrates seamlessly with **Jetstream** and **Livewire** to provide **WebAuthn** authentication — including support for biometric login, USB security keys, and passkeys. 📑 Table of Contents ------------------- [](#-table-of-contents) - [Requirements](#-requirements) - [Installation](#-installation) - [Updating](#-updating) - [Setup](#%EF%B8%8F-setup) - [Usage](#-usage) - [Registration (WebAuthnRegister)](#registration-webauthnregister) - [Login (WebAuthnLogin)](#login-webauthnlogin) - [Configuration](#-configuration) - [Customization](#-customization) - [Security](#-security) - [License](#-license) - [Contributing](#-contributing) 📋 Requirements -------------- [](#-requirements) - **PHP 8.2+** - **Laravel 12.x** - **Livewire 3.x** - **Jestream 5.x** - **OpenSSL** extension for PHP - ***Composer packages***: - **spomky-labs/cbor-php ^3.1** - **web-auth/webauthn-framework ^5.2** 📦 Installation -------------- [](#-installation) Install the package via Composer: ``` composer require r0073rr0r/laravel-webauthn ``` If you encounter dependency errors, run: ``` composer require r0073rr0r/laravel-webauthn -W ``` > **Note:** `"web-auth/webauthn-framework": "^5.2"` requires [`brick/math`](https://github.com/brick/math) `^0.13`, while newer Jetstream requires `brick/math` `^0.14`. An update to version 5.3 is expected soon, which will resolve this issue, but the tag has not been created yet and the composer constraint cannot be changed. Publish views and config files: ``` php artisan vendor:publish --provider="r0073rr0r\WebAuthn\WebAuthnServiceProvider" ``` Publish all package resources (views, translations, and public assets) with a single command: ``` php artisan vendor:publish --tag=webauthn ``` This will also copy the translation files to your `lang/vendor/webauthn` directory, where you can customize them. Migrate database tables: ``` php artisan migrate ``` > **Note:** The migration is safe to run even if the `webauthn_keys` table already exists. It will check if the table exists before creating it, and will add a unique constraint on `credentialId` if it doesn't already exist. [ ![asciicast installation of package](https://camo.githubusercontent.com/a2a690d4f18c52ef27e574200426c3ed27ecd00ac62377c386d20d01781d026f/68747470733a2f2f61736369696e656d612e6f72672f612f426e37766c367335737168334e665a6b356e464939695042632e737667)](https://asciinema.org/a/Bn7vl6s5sqh3NfZk5nFI9iPBc?t=7)🔄 Updating ---------- [](#-updating) When updating the package to a new version, you should republish the configuration and translation files to ensure you have the latest changes: ``` composer update r0073rr0r/laravel-webauthn php artisan vendor:publish --provider="r0073rr0r\WebAuthn\WebAuthnServiceProvider" --tag=webauthn --force ``` The `--force` flag will overwrite existing files with the latest versions from the package, ensuring you have all new configuration options and translations. > **Important:** After updating, review the `config/webauthn.php` file for any new configuration options that may have been added. ⚙️ Setup -------- [](#️-setup) After publishing the assets, include the WebAuthn JavaScript file in your layout (e.g., in `resources/views/layouts/app.blade.php` & `resources/views/layouts/guest.blade.php` or wherever you have your main layout): ``` ``` This script is required for the WebAuthn components to work properly. 🚀 Usage ------- [](#-usage) ### Registration (WebAuthnRegister) [](#registration-webauthnregister) Add the component to your Blade view (*I added it in `resources/views/profile/show.blade.php`*): [ ![Register](https://camo.githubusercontent.com/2fdfdc04ce3503c7cea3026aa3b19f45992867204c0c6998e979e12583d0d122/68747470733a2f2f636c6f75642e64626173652e696e2e72732f617070732f66696c65735f73686172696e672f7075626c6963707265766965772f736a71354a4337333567634c784b453f66696c653d2f2666696c6549643d39393632393626783d3139323026793d3130383026613d7472756526657461673d3362353439306637333137336434646137626233636339313566633963653666)](https://cloud.dbase.in.rs/s/sjq5JC735gcLxKE?dir=/&editing=false&openfile=true)``` ``` This component allows users to register their WebAuthn device (fingerprint, Face ID, USB security key, etc.). ### Login (WebAuthnLogin) [](#login-webauthnlogin) Add the component to your Blade view (*I added it in `resources/views/auth/login.blade.php` after login form*): [![Login](https://camo.githubusercontent.com/4230c711cdaea135c75a34ddd1edfc3ef75f6333a91f9d7754683e202adc28a4/68747470733a2f2f636c6f75642e64626173652e696e2e72732f617070732f66696c65735f73686172696e672f7075626c6963707265766965772f544a457737665a6a626f32456a36653f66696c653d2f2666696c6549643d39393632383926783d3139323026793d3130383026613d7472756526657461673d3264333835643731643561633439383834383963333961643065393035303839)](https://cloud.dbase.in.rs/s/TJEw7fZjbo2Ej6e?dir=/&editing=false&openfile=true)``` ``` This component allows users to log in using their previously registered WebAuthn device. ⚙️ Configuration ---------------- [](#️-configuration) The package configuration file is located at `config/webauthn.php`. After publishing, you can customize the following options: ### Basic Configuration [](#basic-configuration) ``` 'rp_id' => env('WEBAUTHN_RP_ID', parse_url(config('app.url'), PHP_URL_HOST) ?: 'localhost'), 'allowed_origins' => [ env('APP_URL'), ], 'require_user_verification' => env('WEBAUTHN_REQUIRE_UV', false), ``` ### Supported Algorithms [](#supported-algorithms) You can configure which cryptographic algorithms are allowed: ``` 'allowed_algorithms' => [ -7, // ES256 (Elliptic Curve P-256) - Most common, used by Chrome passkeys and YubiKey -35, // ES384 (Elliptic Curve P-384) -36, // ES512 (Elliptic Curve P-521) -257, // RS256 (RSA) - Used by some older hardware security keys ], ``` ### Rate Limiting [](#rate-limiting) Protect against brute force attacks with configurable rate limiting: ``` 'rate_limit' => [ 'enabled' => env('WEBAUTHN_RATE_LIMIT_ENABLED', true), 'max_attempts' => env('WEBAUTHN_RATE_LIMIT_ATTEMPTS', 5), 'decay_minutes' => env('WEBAUTHN_RATE_LIMIT_DECAY', 1), ], ``` ### Timeout Configuration [](#timeout-configuration) Configure the timeout for WebAuthn operations (in milliseconds): ``` 'timeout' => env('WEBAUTHN_TIMEOUT', 60000), // 60 seconds default ``` ### Device Name Validation [](#device-name-validation) Set minimum and maximum length for device names: ``` 'key_name' => [ 'min_length' => env('WEBAUTHN_KEY_NAME_MIN', 3), 'max_length' => env('WEBAUTHN_KEY_NAME_MAX', 64), ], ``` ### Audit Logging [](#audit-logging) Enable audit logging for security monitoring: ``` 'audit_log' => [ 'enabled' => env('WEBAUTHN_AUDIT_LOG_ENABLED', true), 'channel' => env('WEBAUTHN_AUDIT_LOG_CHANNEL', 'daily'), ], ``` **Log Channel Options:** - `'daily'` - Creates a new log file each day (e.g., `laravel-2025-01-07.log`) in `storage/logs/` - `'single'` - Writes to a single log file (`laravel.log`) - `'syslog'` - Writes to system log - `'errorlog'` - Writes to PHP error log - Custom channel - Use any channel defined in `config/logging.php` > **Note:** The `'daily'` channel does NOT send emails. It only writes to log files. If you need email notifications, configure a custom log channel in `config/logging.php` that uses a mail driver. #### Email Notifications for Audit Logs [](#email-notifications-for-audit-logs) If you want to receive email notifications for WebAuthn operations, you can configure a custom log channel with email support: **Step 1:** Add a custom channel in `config/logging.php`: ``` // config/logging.php 'channels' => [ // ... existing channels ... 'webauthn-email' => [ 'driver' => 'mail', 'level' => 'info', 'to' => env('WEBAUTHN_AUDIT_EMAIL', 'admin@example.com'), 'subject' => 'WebAuthn Security Event', ], ], ``` **Step 2:** Configure the email channel in your `.env`: ``` WEBAUTHN_AUDIT_LOG_CHANNEL=webauthn-email WEBAUTHN_AUDIT_EMAIL=admin@example.com ``` **Step 3:** Make sure your Laravel mail configuration is set up correctly in `.env`: ``` MAIL_MAILER=smtp MAIL_HOST=smtp.mailtrap.io MAIL_PORT=2525 MAIL_USERNAME=your-username MAIL_PASSWORD=your-password MAIL_ENCRYPTION=tls MAIL_FROM_ADDRESS=noreply@example.com MAIL_FROM_NAME="${APP_NAME}" ``` **Alternative:** For more advanced email notifications (e.g., only on errors, formatted emails), you can create a custom channel with Slack, Discord, or other notification services: ``` // config/logging.php 'webauthn-slack' => [ 'driver' => 'slack', 'url' => env('WEBAUTHN_SLACK_WEBHOOK_URL'), 'username' => 'WebAuthn Bot', 'emoji' => ':warning:', 'level' => 'info', ], ``` Audit logs include: - Key registrations (with user ID, key name, credential ID, AAGUID) - Login attempts (successful and failed) - Key deletions - Errors with full context (IP, user agent, timestamp) **Example log entry:** ``` { "message": "WebAuthn: login_success", "action": "login_success", "user_id": 123, "credential_id": "a1b2c3d4...", "success": true, "ip": "192.168.1.1", "user_agent": "Mozilla/5.0...", "timestamp": "2025-01-07T12:34:56+00:00" } ``` ### Environment Variables [](#environment-variables) You can configure all options via environment variables in your `.env` file: ``` WEBAUTHN_RP_ID=your-domain.com WEBAUTHN_REQUIRE_UV=false WEBAUTHN_RATE_LIMIT_ENABLED=true WEBAUTHN_RATE_LIMIT_ATTEMPTS=5 WEBAUTHN_RATE_LIMIT_DECAY=1 WEBAUTHN_TIMEOUT=60000 WEBAUTHN_KEY_NAME_MIN=3 WEBAUTHN_KEY_NAME_MAX=64 WEBAUTHN_AUDIT_LOG_ENABLED=true WEBAUTHN_AUDIT_LOG_CHANNEL=daily ``` 🎨 Customization --------------- [](#-customization) You can customize the view files after publishing them: - `resources/views/vendor/laravel-webauthn/livewire/web-authn-register.blade.php` - `resources/views/vendor/laravel-webauthn/livewire/web-authn-login.blade.php` 🔒 Security ---------- [](#-security) WebAuthn is a modern standard for secure passwordless authentication. This package uses browser native WebAuthn APIs for maximum security. ### Security Features [](#security-features) - **Rate Limiting**: Protects against brute force attacks with configurable limits - **Audit Logging**: Comprehensive logging of all WebAuthn operations for security monitoring - **Replay Attack Protection**: Sign counter validation prevents replay attacks - **Origin Validation**: Ensures requests come from allowed origins only - **Challenge Validation**: One-time challenges prevent replay attacks - **User Verification**: Optional user verification requirement for enhanced security ### Supported Authenticators [](#supported-authenticators) This package supports a wide range of WebAuthn authenticators: - ✅ **Chrome/Edge passkeys** (biometric authentication) - EC2 P-256 - ✅ **YubiKey 5 series** (USB security keys) - EC2 P-256 or RSA - ✅ **Apple Touch ID / Face ID** (via Safari) - EC2 P-256 - ✅ **Other hardware security keys** - Various algorithms (ES256, ES384, ES512, RS256) 📝 License --------- [](#-license) MIT License 🤝 Contributing -------------- [](#-contributing) Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change. ### Health Score 40 — FairBetter than 88% of packages Maintenance74 Regular maintenance activity Popularity15 Limited adoption so far Community10 Small or concentrated contributor base Maturity50 Maturing project, gaining track record Bus Factor1 Top contributor holds 95.7% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 2 Last Release 186d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/9ebbcd8b937d006e91b7ac7c2f3942f11cf86e0f7f6d7d9d40d0256021d0f905?d=identicon)[r00terr0r](/maintainers/r00terr0r) --- Top Contributors [![r0073rr0r](https://avatars.githubusercontent.com/u/11500982?v=4)](https://github.com/r0073rr0r "r0073rr0r (134 commits)")[![cursoragent](https://avatars.githubusercontent.com/u/199161495?v=4)](https://github.com/cursoragent "cursoragent (5 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (1 commits)") ### Code Quality TestsPest Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/r0073rr0r-laravel-webauthn/health.svg) ``` [![Health](https://phpackages.com/badges/r0073rr0r-laravel-webauthn/health.svg)](https://phpackages.com/packages/r0073rr0r-laravel-webauthn) ``` ### Alternatives [lab404/laravel-impersonate Laravel Impersonate is a plugin that allows to you to authenticate as your users. 2.3k16.4M48](/packages/lab404-laravel-impersonate)[santigarcor/laratrust This package provides a flexible way to add Role-based Permissions to Laravel 2.3k5.4M43](/packages/santigarcor-laratrust)[overtrue/laravel-follow User follow unfollow system for Laravel. 1.2k404.7k5](/packages/overtrue-laravel-follow)[namu/wirechat A Laravel Livewire messaging app for teams with private chats and group conversations. 54324.5k](/packages/namu-wirechat) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)