Hey all 👋
I've released passkey-go, a Go library for handling server-side passkey (WebAuthn) assertion verification.
It provides both low-level building blocks (CBOR, COSE, authData parsing) and a high-level VerifyAssertion()
function compatible with the output of navigator.credentials.get()
.
🔐 Key Features
- ✅ Pure Go – No CGO or OpenSSL dependency
- 🔒 End-to-end passkey (FIDO2/WebAuthn) support
- 🔧 High-level API:
VerifyAssertion(...)
to validate client responses - 🧱 Low-level parsing: AttestationObject, AuthenticatorData, COSE key → ECDSA
- 🧪 Strong error types for HTTP mapping PasskeyError
- 📎 Base64URL-compatible and ES256-only (per WebAuthn spec)
- 🗂 Example code included for both registration and login
💡 Why?
Most WebAuthn libraries in Go are tightly coupled to frontend flows or rely on external dependencies.
passkey-go
aims to be:
- 🔹 Lightweight
- 🔹 Backend-only
- 🔹 Easy to integrate into your own auth logic
You can issue challenges, parse assertions, and verify signatures—all within your own backend service.
📦 Repo:
https://github.com/aethiopicuschan/passkey-go
I'd love any feedback, bug reports, or feature suggestions (e.g., support for EdDSA, Android quirks, etc). Contributions welcome!
Thanks 🙌