To create and authenticate with passkeys, you will use the WebAuthn API for the web, or the Credential Manager API for Android apps. These APIs handle the communication between the client and the passkey provider.
While these APIs are called from a client such as a web page or Android app, you need to implement the rest of the functionality on the server to complete your authentication use cases.
A passkey implementation consists of two functionalities:
Passkey registration. Use the WebAuthn API or the Credential Manager API to let the user create a passkey. Store the associated public key on the server.
Authentication with a passkey. Get an authentication challenge from the server and use the WebAuthn API or Credential Manager API to let the user sign this challenge with their passkey. Verify the signature on the server. If the signature is valid, authenticate the user.
Server-side libraries
While it's possible to implement server-side passkeys functionality from scratch, we recommend that you rely on a library instead.
A server that supports passkey creation and authentication is called a FIDO2 server, or FIDO server for short. By extension, we'll refer here to server-side libraries that implement passkey support as FIDO server-side libraries.
Why use a library?
Using a FIDO server-side library has several advantages:
Time and developer experience. The WebAuthn specification is complex. FIDO server-side libraries can provide simple APIs for implementing passkeys, which can save you time and development resources.
Maintainability. The WebAuthn specification is still subject to change. Using the latest version of an actively maintained library helps keep your implementation up-to-date.
Security and compliance. You want your passkey implementation to conform to the WebAuthn specification and its security requirements. FIDO server-side libraries can help you keep your implementation secure and compliant with the specification. Depending on your product and industry, your implementation may also be subject to regulations that require you to use specific security standards for authentication.
If possible, consider financially supporting open source projects your product relies on.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-19 UTC."],[[["\u003cp\u003ePasskeys utilize passkey providers, like Google Password Manager or Apple iCloud Keychain, for secure credential generation and authentication.\u003c/p\u003e\n"],["\u003cp\u003eServer-side implementation involves passkey registration (storing public keys) and authentication (verifying signatures).\u003c/p\u003e\n"],["\u003cp\u003eUsing FIDO server-side libraries is recommended for simplified implementation, maintainability, and enhanced security.\u003c/p\u003e\n"],["\u003cp\u003eSeveral curated lists of FIDO server-side libraries are available for various programming languages, including JavaScript, Go, and Python.\u003c/p\u003e\n"]]],[],null,["| **Note:** This article is part of a series on server-side passkey implementation. Explore the other articles in this series: [Server-side passkey registration](/identity/passkeys/developer-guides/server-registration) and [Server-side passkey authentication](/identity/passkeys/developer-guides/server-authentication).\n\nOverview\n\nWhen using [synchronized passkeys](https://developers.google.com/identity/passkeys/supported-environments#:%7E:text=Passkeys%20can%20be%20synchronized%20across%20devices%20in%20the%20same%20ecosystem), people authenticate with a *passkey provider*.\n| **Key Term:** A *passkey provider* is a piece of software used to generate and provide cryptographically-secure credentials. Examples of passkey providers include Google Password Manager, Apple iCloud Keychain, Windows Hello, Dashlane and more.\n\nTo create and authenticate with passkeys, you will use the [WebAuthn API](https://developer.mozilla.org/docs/Web/API/Web_Authentication_API) for the web, or the [Credential Manager API](https://developer.android.com/training/sign-in/passkeys) for Android apps. These APIs handle the communication between the client and the passkey provider.\n\nWhile these APIs are called from a client such as a web page or Android app, you need to implement the rest of the functionality on the server to complete your authentication use cases.\n\nA passkey implementation consists of two functionalities:\n\n1. **Passkey registration.** Use the WebAuthn API or the Credential Manager API to let the user create a passkey. Store the associated public key on the server.\n2. **Authentication with a passkey**. Get an authentication challenge from the server and use the WebAuthn API or Credential Manager API to let the user sign this challenge with their passkey. Verify the signature on the server. If the signature is valid, authenticate the user.\n\nServer-side libraries\n\nWhile it's possible to implement server-side passkeys functionality from scratch, we recommend that you rely on a library instead.\n\nA server that supports passkey creation and authentication is called a *FIDO2 server* , or *FIDO server* for short. By extension, we'll refer here to server-side libraries that implement passkey support as *FIDO server-side libraries*.\n| **Note:** [FIDO2](https://fidoalliance.org/specifications/) is an umbrella term for the effort that produced the [WebAuthn API](https://developer.mozilla.org/docs/Web/API/Web_Authentication_API) and the [CTAP2 protocol](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) that passkeys rely on.\n\nWhy use a library?\n\nUsing a FIDO server-side library has several advantages:\n\n- **Time and developer experience.** The [WebAuthn specification](https://www.w3.org/TR/webauthn/) is complex. FIDO server-side libraries can provide simple APIs for implementing passkeys, which can save you time and development resources.\n- **Maintainability.** The [WebAuthn specification](https://www.w3.org/TR/webauthn/) is still subject to change. Using the latest version of an actively maintained library helps keep your implementation up-to-date.\n- **Security and compliance.** You want your passkey implementation to conform to the WebAuthn specification and its security requirements. FIDO server-side libraries can help you keep your implementation secure and compliant with the specification. Depending on your product and industry, your implementation may also be subject to regulations that require you to use specific security standards for authentication.\n\nIf possible, consider financially supporting open source projects your product relies on.\n\nLibraries **Note:** To select your passkey library, refer to the [selection criteria](https://web.dev/blog/passkey-lib-criteria).\n\n- The [awesome-webauthn](https://github.com/herrjemand/awesome-webauthn) GitHub repository includes a [community-curated list of server-side libraries](https://github.com/herrjemand/awesome-webauthn#server-libraries). You'll find libraries for JavaScript and TypeScript, Go, Python, and more.\n- A [collection of libraries](https://passkeys.dev/docs/tools-libraries/libraries/) is available on [passkeys.dev](https://passkeys.dev/). It's maintained by the [W3C WebAuthn Adoption Community Group](https://www.w3.org/community/webauthn-adoption/).\n- FIDO Alliance references a [collection of FIDO2 servers](https://fidoalliance.org/certification/fido-certified-products/).\n\nNext up\n\n- [Server-side passkey registration](/identity/passkeys/developer-guides/server-registration)\n- [Server-side passkey authentication](/identity/passkeys/developer-guides/server-authentication)"]]