Registration vs Authentication

Side-by-side diagram of passkey registration and authentication flows

Registration creates a new credential for your RP ID.
The authenticator generates a key pair.
The public key is stored on your server.
The private key stays on the device or hardware key.
Later, authentication signs a fresh challenge and your server verifies it.

The Browser API Surface

Registration

const credential = await navigator.credentials.create({
  publicKey: {
    challenge,
    rp: { id: 'example.com', name: 'Example App' },
    user,
    pubKeyCredParams: [{ alg: -7, type: 'public-key' }],
  },
});

challenge comes from your server.
rp.id must match your site identity rules.
The browser talks to the authenticator for you.

Authentication

const assertion = await navigator.credentials.get({
  publicKey: {
    challenge,
    rpId: 'example.com',
    userVerification: 'preferred',
  },
});

Your server sends a fresh challenge again.
The browser finds a matching credential.
The authenticator signs the challenge response.