1. Web
  2. Web APIs
  3. PublicKeyCredentialCreationOptions

PublicKeyCredentialCreationOptions

Baseline Widely available *

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨September 2019⁩.

* Some parts of this feature may have varying levels of support.

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

The PublicKeyCredentialCreationOptions dictionary represents the object passed to CredentialsContainer.create() as the value of the publicKey option: that is, when using create() to create a public key credential using the Web Authentication API.

Instance properties

attestation Optional

A string specifying the relying party's preference for how the attestation statement (i.e., provision of verifiable evidence of the authenticity of the authenticator and its data) is conveyed during credential creation. The value can be one of the following:

"none"

Specifies that the relying party is not interested in authenticator attestation. This might be to avoid additional user consent for round trips to the relying party server to relay identifying information, or round trips to an attestation certificate authority (CA), with the aim of making the authentication process smoother. If "none" is chosen as the attestation value, and the authenticator signals that it uses a CA to generate its attestation statement, the client app will replace it with a "None" attestation statement, indicating that no attestation statement is available.

"direct"

Specifies that the relying party wants to receive the attestation statement as generated by the authenticator.

"enterprise"

Specifies that the Relying Party wants to receive an attestation statement that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators.

"indirect"

Specifies that the relying party wants to receive a verifiable attestation statement, but it will allow the client to decide how to receive it. For example, the client could choose to replace the authenticator's assertion statement with one generated by an Anonymization CA to protect user privacy.

If attestation is omitted, it will default to "none".

attestationFormats Optional

An array of strings specifying the relying party's preference for the attestation statement format used by the authenticator. Values should be ordered from highest to lowest preference, and should be considered hints — the authenticator may choose to issue an attestation statement in a different format. For a list of valid formats, see WebAuthn Attestation Statement Format Identifiers.

If omitted, attestationFormats defaults to an empty array.

authenticatorSelection Optional

An object whose properties are criteria used to filter out the potential authenticators for the credential creation operation. This object can contain the properties:

authenticatorAttachment Optional

A string indicating which authenticator attachment type should be permitted for the chosen authenticator. Possible values are:

"platform"

The authenticator is part of the device WebAuthn is running on (termed a platform authenticator), therefore WebAuthn will communicate with it using a transport available to that platform, such as a platform-specific API. A public key credential bound to a platform authenticator is called a platform credential.

"cross-platform"

The authenticator is not a part of the device WebAuthn is running on (termed a roaming authenticator as it can roam between different devices), therefore WebAuthn will communicate with it using a cross-platform transport protocol such as Bluetooth or NFC. A public key credential bound to a roaming authenticator is called a roaming credential.

If omitted, any type of authenticator, either platform or cross-platform, can be selected for the credential creation operation.

requireResidentKey Optional

A boolean. If set to true, it indicates that a resident key is required (see residentKey) This property is deprecated, but still available in some implementations for backwards compatibility with WebAuthn Level 1. The value should be set to true if residentKey is set to "required".

If omitted, requireResidentKey defaults to false.

residentKey Optional

A string that specifies the extent to which the relying party desires to create a client-side discoverable credential (that is, one that is usable in authentication requests where the relying party does not provide credential IDs — navigator.credentials.get() is called with an empty allowCredentials value). The alternative is a server-side credential, where the relying party must provide credential IDs in the get() allowCredentials value. Possible values are:

"discouraged"

The relying party prefers creation of a server-side credential, but will accept a client-side discoverable credential.

"preferred"

The relying party strongly prefers creation of a client-side discoverable credential, but will accept a server-side credential. The user agent should guide the user through setting up user verification, if needed, to create a discoverable credential. This takes precedence over the userVerification setting.

"required"

The relying party requires a client-side discoverable credential. If one cannot be created, a NotAllowedError DOMException is thrown. See the create() exceptions list for more details.

If omitted, residentKey defaults to "required" if requireResidentKey is true, otherwise the default value is "discouraged".

userVerification Optional

A string that specifies the relying party's requirements for user verification for the create() operation. Possible values are:

"discouraged"

The relying party prefers no user verification for the create() operation, in the interests of minimizing disruption to the user experience.

"preferred"

The relying party prefers user verification for the create() operation, but it will not fail if user verification cannot be performed.

"required"

The relying party requires user verification for the create() operation — if user verification cannot be performed, an error is thrown.

If omitted, userVerification defaults to "preferred".

challenge

An ArrayBuffer, TypedArray, or DataView provided by the relying party's server and used as a cryptographic challenge. This value will be signed by the authenticator and the signature will be sent back as part of AuthenticatorAttestationResponse.attestationObject.

excludeCredentials Optional

An Array of objects describing existing credentials that are already mapped to this user account (as identified by user.id). This is provided by the relying party, and checked by the user agent to avoid creating a new public key credential on an authenticator that already has a credential mapped to the specified user account. Each item should be of the form:

id

An ArrayBuffer,