Skip to main content

Client Data

The Client Data object is used during user registration, new credential creation, login, recovery and action signing

Fido2 credential

When using Fido2, the client data object is built inside the authenticator and returned to the browser base64url encoded. There is no need to modify it. More information can be found in the W3C webauthn offical specification

Example

Key, Password Protected Key and Recovery credential

Unlike when using Fido2 credential, the client data object needs to be created manually for Key credential. Once created the object needs to be “stringified” and base64url encoded.
Critical formatting requirements:
  • Keys must be alphabetically sorted (e.g., challenge before type)
  • JSON separators must have no spaces after : and ,
  • The result must be base64url encoded (not standard base64)
Incorrect formatting will cause “Unable to verify signature” errors.

Example

Attestation Data

This attestation data object is used during registration and new credential.

Fido2 credential

When using Fido2, the attestation data object is built inside the authenticator and returned to the browser. It is encoded using CBOR specification. There is no need to modify it. More information can be found in the W3C webauthn offical specification. It is an opaque object and there is no need to describe it here.

Example

Key, Password Protected Key and Recovery credential

Unlike when using Fido2 credential, the attestation data object needs to be created manually for Key credential. Once created the object needs to be “stringified” and base64url encoded. Before building the attestation data object, the credential info fingerprint object needs to be created.

Credential Info Fingerprint

The attestation data object contains a signature. This section explains how to construct the credential info fingerprint object that is then signed and included in the attestation data object.
In order for the server to properly verify the signature, the clientDataHash needs to be computed in a reproducible way. That means the “stringified” operation of the client data object needs to be done with the following requirements:
  • Keys need to be sorted in alphabetical order: challenge first, and then type
  • Separators need to be : and , without any space before and after
For example given the following client data object
The “stringified” version needs to be
Example
So the attestation data object is built with the following fields
In order for the server to properly verify the signature, the “stringified” operation of the Credential Info Fingerprint object needs to be done with the following requirements:
  • Keys need to be sorted in alphabetical order: clientDataHash first, then publicKey
  • Separators need to be : and , without any space before and after
For example given the following client data object
The “stringified” version needs to be
The signature also needs to be generated with pre-defined hash algorithm and encoding:
  • Hash algorithm: SHA256
  • Encoding: DER. See Signature Format for more information

Signing Example

Example

Last modified on June 8, 2026