Passkey flow
See how passkey registration and sign-in move between authenticator, browser, and server. Run a local WebAuthn ceremony with a client-generated challenge — nothing is sent to flaviocopes.com for verification.
Educational demo only. Real apps must verify attestations and assertions on the server, bind challenges to sessions, and check origin + RP ID. This page does none of that.
Capability check
Authenticator
Client (browser)
Server
Local challenge (client-only)
In production the server generates this. Here we use crypto.getRandomValues in your browser — still never uploaded for verification.
This creates a real passkey on your device for flaviocopes.com. It is not registered to an account. Delete it from your password manager after testing.
Glossary
About this tool
Passkeys are WebAuthn credentials — public-key crypto with phishing-resistant origin checks. Registration creates a key pair; authentication proves possession with a signature over the server challenge.
Libraries like Better Auth wrap the server side; this tool shows the ceremony so the three-party dance makes sense before you wire it up.