What The Server Must Verify And Store

Verification and storage

type RegistrationVerification = {
  challenge: string;
  origin: string;
  rpId: string;
  credentialId: Uint8Array;
  publicKey: Uint8Array;
  signCount: number;
};

Verify the challenge matches what you issued.
Verify the origin matches your allowed origins.
Verify the rpId matches your configured site identity.

What you keep for later

credentialId so you can look up the right passkey later
publicKey for verifying future assertions
signCount as a cloned-key warning signal

If the signature counter goes backwards or stops behaving as expected, treat it as suspicious and trigger extra review or recovery.

Use Libraries, Not Raw Crypto

Recommended stack

@simplewebauthn/server
@simplewebauthn/browser
better-auth or lucia-auth if you want passkeys inside a broader auth system

import { generateRegistrationOptions, verifyRegistrationResponse } from '@simplewebauthn/server';

Why libraries matter

WebAuthn has binary formats, origin checks, and edge cases.
Good libraries already handle verification rules and browser quirks.
You still own the challenge lifecycle, credential storage, and recovery UX.
The hard product question is usually fallback and account recovery, not the API call itself.