The Browser API Surface

Registration

const credential = await navigator.credentials.create({
  publicKey: {
    challenge,
    rp: { id: 'example.com', name: 'Example App' },
    user,
    pubKeyCredParams: [{ alg: -7, type: 'public-key' }],
  },
});

challenge comes from your server.
rp.id must match your site identity rules.
The browser talks to the authenticator for you.

Authentication

const assertion = await navigator.credentials.get({
  publicKey: {
    challenge,
    rpId: 'example.com',
    userVerification: 'preferred',
  },
});

Your server sends a fresh challenge again.
The browser finds a matching credential.
The authenticator signs the challenge response.

Two Valid Login UX Patterns

Account-first login

Ask for email or username first.
Look up the user's registered credentials.
Request a passkey for that account.

Feels familiar to users and product teams.
Gives you clearer app-level control over the flow.
Works well when passkeys are one option among several.

Passkey-first login

Start WebAuthn immediately.
Let the browser and OS find matching credentials.
Let the user choose the right passkey if more than one exists.

Feels magical when it works well.
Avoids typing an identifier up front.
Great when you want true discoverable-credential login.