PHPackages report-uri/passkeys-php - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. report-uri/passkeys-php ActiveLibrary[Authentication & Authorization](/categories/authentication) report-uri/passkeys-php ======================= A security-focused PHP WebAuthn (FIDO2 / Passkeys) server library, forked from lbuchs/WebAuthn v2.0.1(2w ago)1377↑55.8%1MITPHPPHP >=8.0.0CI passing Since May 13Pushed 2w ago4 watchersCompare [ Source](https://github.com/report-uri/passkeys-php)[ Packagist](https://packagist.org/packages/report-uri/passkeys-php)[ Docs](https://github.com/report-uri/passkeys-php)[ RSS](/packages/report-uri-passkeys-php/feed)WikiDiscussions main Synced 1w ago READMEChangelog (2)DependenciesVersions (5)Used By (0) [![Licensed under the MIT License](https://camo.githubusercontent.com/08cef40a9105b6526ca22088bc514fbfdbc9aac1ddbf8d4e6c750e3a88a44dca/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d626c75652e737667)](https://github.com/report-uri/passkeys-php/blob/main/LICENSE)[![PHP 8.0+](https://camo.githubusercontent.com/7b973e18e5dc1eee6a0177db2c17f4e9fb66e3ac54b64909426e8dfa482aed61/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e302b2d677265656e2e737667)](https://php.net) passkeys-php ============ [](#passkeys-php) *A security-focused PHP WebAuthn (FIDO2 / Passkeys) server library.* This is a maintained fork of [lbuchs/WebAuthn](https://github.com/lbuchs/WebAuthn) by [Report URI](https://report-uri.com), forked at upstream `v2.2.0`. Goal: provide a small, lightweight, understandable library to protect logins with passkeys, security keys (Yubico, Solo), platform authenticators (Touch ID, Face ID, Windows Hello), etc. — with security fixes applied. Why fork -------- [](#why-fork) Upstream is effectively dormant. A pen test of Report URI's passkey integration surfaced several conformance issues; fixes were submitted as PRs to lbuchs/WebAuthn but have not been merged. This fork ships those fixes inline so consumers don't need to maintain patches of their own. ### Security improvements vs lbuchs/WebAuthn v2.2.0 [](#security-improvements-vs-lbuchswebauthn-v220) - **Attestation removed entirely** — only `fmt: 'none'` with an empty `attStmt` is accepted. `getCreateArgs()` always requests `attestation: 'none'` from the browser, which is required by spec to strip the attestation statement regardless of which authenticator the user holds. All TPM / Packed / U2F / Android-Key / SafetyNet / Apple format handling has been deleted, along with the FIDO MDS plumbing and root-CA validation. The library is positioned for SaaS-style passkey auth where the RP only needs to know the user controls a credential bound to the RP — not which authenticator they used. - **Tighter origin check** — the previous regex-based RP-ID match treated the RP ID as a substring suffix (e.g. RP `example.com` would match host `evil-example.com`). Now an exact match or true subdomain (RP ID preceded by a dot). - **Cross-origin rejection** — `processCreate` / `processGet` now reject ceremonies where `clientDataJSON.crossOrigin === true` (WebAuthn Level 3 §7.1 Step 10, §7.2 Step 13). - **Backup flag validation** — `AuthenticatorData` now rejects flag bytes where Backup State (BS) is set without Backup Eligible (BE), per spec. - **Token Binding rejection** — `clientDataJSON.tokenBinding.status === 'present'` is rejected (WebAuthn Level 2 §7.1 Step 6, §7.2 Step 10), since this library does not implement Token Binding. Each fix is a separate commit on `main` for easy auditing. ### Migrating from a build with attestation [](#migrating-from-a-build-with-attestation) If you previously consumed `lbuchs/WebAuthn` (or an earlier build of this fork) and used attestation: - The constructor no longer accepts an `$allowedFormats` argument. Drop the third positional argument: `new WebAuthn($rpName, $rpId, $useBase64UrlEncoding = false)`. - `addRootCertificates()`, `addAndroidKeyHashes()`, and `queryFidoMetaDataService()` have been removed. Delete any calls to them. - `processCreate()` no longer accepts `$failIfRootMismatch` or `$requireCtsProfileMatch`. Drop those arguments. - The `processCreate()` result no longer carries `attestationFormat`, `certificate`, `certificateChain`, `certificateIssuer`, `certificateSubject`, or `rootValid`. Remove any code that reads those fields. - Native Android app origins (`android:apk-key-hash:…`) are no longer recognised; only `https` origins (and `http://localhost` for development) are accepted. This affects only relying parties that ship a **native Android app** which calls the platform FIDO2 / Credential Manager API in-process — those calls produce `android:apk-key-hash:` origins. Browsers on Android (Chrome, Firefox, Edge, …) and any WebView-based flow still produce normal `https://` origins and work unchanged. - The `WebAuthnException::CERTIFICATE_NOT_TRUSTED` and `WebAuthnException::ANDROID_NOT_TRUSTED` error-code constants have been removed. Both were thrown only from attestation paths that no longer exist. Update any `catch` blocks that branch on `$e->getCode()`. Installation ------------ [](#installation) ``` composer require report-uri/passkeys-php ``` The library autoloads under PSR-4 as `ReportUri\Passkeys\`. The main entry point is `ReportUri\Passkeys\WebAuthn` (the class name is kept aligned with the W3C spec name). ``` use ReportUri\Passkeys\WebAuthn; $server = new WebAuthn('My App', 'example.com'); ``` Manual ------ [](#manual) See [`_test/`](_test/) for a simple working demo. The `server.php` + `client.html` pair exercises registration and login end-to-end. Workflow -------- [](#workflow) ``` JAVASCRIPT | SERVER ------------------------------------------------------------ REGISTRATION window.fetch -----------------> getCreateArgs | navigator.credentials.create processCreate | alert ok or fail Passkeys allow sharing credentials stored on one device with other devices. From a server's perspective there is no difference to client-side discoverable credentials — the OS handles cross-device sync transparently. ### How does it work? [](#how-does-it-work) In a typical server-side key management flow, the user enters their username (and maybe password). The server validates and returns a list of public-key identifiers for that user; the authenticator picks the first credential it issued and signs. In a client-side flow, the user does not need to provide a username. The authenticator searches its own memory for a key bound to the relying party (domain). If a key is found, the authentication process proceeds as it would if the server had sent a list of identifiers. ### How can I use it? [](#how-can-i-use-it) #### on registration [](#on-registration) When calling `ReportUri\Passkeys\WebAuthn->getCreateArgs`, set `$requireResidentKey` to true so the authenticator saves the registration in its memory. #### on login [](#on-login) When calling `ReportUri\Passkeys\WebAuthn->getGetArgs`, don't provide any `$credentialIds` — the authenticator will look up the IDs in its own memory and return the user ID as `userHandle`. Set the type of authenticator to `hybrid` (passkey scanned via QR code) and `internal` (passkey stored on the device itself). #### caveat [](#caveat) The RP ID (domain) is saved on the authenticator. If an authenticator is lost it is theoretically possible to find the services it's used with and log in there. ### device support [](#device-support) Built-in passkeys that automatically sync to all of a user's devices: see [passkeys.dev/device-support](https://passkeys.dev/device-support/). - Apple iOS 16+ / iPadOS 16+ / macOS Ventura+ - Android 9+ - Microsoft Windows 11 23H2+ Requirements ------------ [](#requirements) - PHP >= 8.0 with [OpenSSL](http://php.net/manual/en/book.openssl.php) and [Multibyte String](https://www.php.net/manual/en/book.mbstring.php) - Browser with [WebAuthn support](https://caniuse.com/webauthn) - PHP [Sodium](https://www.php.net/manual/en/book.sodium.php) (or [Sodium Compat](https://github.com/paragonie/sodium_compat)) for [Ed25519](https://en.wikipedia.org/wiki/EdDSA#Ed25519) support, or OpenSSL with native Ed25519 support (PHP ≥ 8.4) Credits ------- [](#credits) The original library was written by [Lukas Buchs](https://github.com/lbuchs) under the MIT license. See [NOTICE.md](NOTICE.md) for full attribution. License ------- [](#license) [MIT](LICENSE) — same as upstream. Further reading --------------- [](#further-reading) - [W3C WebAuthn spec](https://www.w3.org/TR/webauthn/) - [MDN: Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API) - [passkeys.dev](https://passkeys.dev/) - [FIDO Alliance](https://fidoalliance.org) ### Health Score 45 — FairBetter than 91% of packages Maintenance96 Actively maintained with recent releases Popularity21 Limited adoption so far Community18 Small or concentrated contributor base Maturity41 Maturing project, gaining track record Bus Factor1 Top contributor holds 84.2% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~2 days Total 4 Last Release 20d ago Major Versions v1.0.1 → v2.0.02026-05-14 ### Community Maintainers ![](https://www.gravatar.com/avatar/535745f97ad38a28795aa6f329c363fcfd55c6d6ad52fdf0fed2351e9d8efd10?d=identicon)[ScottHelme](/maintainers/ScottHelme) --- Top Contributors [![lbuchs](https://avatars.githubusercontent.com/u/37619779?v=4)](https://github.com/lbuchs "lbuchs (80 commits)")[![ScottHelme](https://avatars.githubusercontent.com/u/5352840?v=4)](https://github.com/ScottHelme "ScottHelme (4 commits)")[![My1](https://avatars.githubusercontent.com/u/6696524?v=4)](https://github.com/My1 "My1 (2 commits)")[![TobiasBengtsson](https://avatars.githubusercontent.com/u/12772476?v=4)](https://github.com/TobiasBengtsson "TobiasBengtsson (2 commits)")[![nemiah](https://avatars.githubusercontent.com/u/1369437?v=4)](https://github.com/nemiah "nemiah (1 commits)")[![royjr](https://avatars.githubusercontent.com/u/1976269?v=4)](https://github.com/royjr "royjr (1 commits)")[![BenjaminHae](https://avatars.githubusercontent.com/u/7386033?v=4)](https://github.com/BenjaminHae "BenjaminHae (1 commits)")[![xellio](https://avatars.githubusercontent.com/u/10545329?v=4)](https://github.com/xellio "xellio (1 commits)")[![brainfoolong](https://avatars.githubusercontent.com/u/1684236?v=4)](https://github.com/brainfoolong "brainfoolong (1 commits)")[![hengjingyoong](https://avatars.githubusercontent.com/u/4762290?v=4)](https://github.com/hengjingyoong "hengjingyoong (1 commits)")[![Michael-MCP](https://avatars.githubusercontent.com/u/11266356?v=4)](https://github.com/Michael-MCP "Michael-MCP (1 commits)") --- Tags AuthenticationFIDO2webauthnpasskeypasskeys ### Embed Badge ![Health badge](/badges/report-uri-passkeys-php/health.svg) ``` [![Health](https://phpackages.com/badges/report-uri-passkeys-php/health.svg)](https://phpackages.com/packages/report-uri-passkeys-php) ``` ### Alternatives [lbuchs/webauthn A simple PHP WebAuthn (FIDO2) server library 5841.0M25](/packages/lbuchs-webauthn)[web-auth/webauthn-lib FIDO2/Webauthn Support For PHP 1237.8M117](/packages/web-auth-webauthn-lib)[web-auth/webauthn-framework FIDO2/Webauthn library for PHP and Symfony Bundle. 51090.8k2](/packages/web-auth-webauthn-framework)[web-auth/webauthn-symfony-bundle FIDO2/Webauthn Security Bundle For Symfony 66474.5k8](/packages/web-auth-webauthn-symfony-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)