passkey-go: WebAuthn/passkey assertion verification in pure Go
Chan Aethiopicus

Chan Aethiopicus @aethiopicuschan

About: Software engineer living in Tokyo, Japan.

Location:
Tokyo, Japan
Joined:
Feb 19, 2023

passkey-go: WebAuthn/passkey assertion verification in pure Go

Publish Date: Jun 12
0 0

Hey all 👋

I've released passkey-go, a Go library for handling server-side passkey (WebAuthn) assertion verification.

It provides both low-level building blocks (CBOR, COSE, authData parsing) and a high-level VerifyAssertion() function compatible with the output of navigator.credentials.get().

🔐 Key Features

  • ✅ Pure Go – No CGO or OpenSSL dependency
  • 🔒 End-to-end passkey (FIDO2/WebAuthn) support
  • 🔧 High-level API: VerifyAssertion(...) to validate client responses
  • 🧱 Low-level parsing: AttestationObject, AuthenticatorData, COSE key → ECDSA
  • 🧪 Strong error types for HTTP mapping PasskeyError
  • 📎 Base64URL-compatible and ES256-only (per WebAuthn spec)
  • 🗂 Example code included for both registration and login

💡 Why?

Most WebAuthn libraries in Go are tightly coupled to frontend flows or rely on external dependencies.

passkey-go aims to be:

  • 🔹 Lightweight
  • 🔹 Backend-only
  • 🔹 Easy to integrate into your own auth logic

You can issue challenges, parse assertions, and verify signatures—all within your own backend service.

📦 Repo:

https://github.com/aethiopicuschan/passkey-go

I'd love any feedback, bug reports, or feature suggestions (e.g., support for EdDSA, Android quirks, etc). Contributions welcome!

Thanks 🙌

Comments 0 total

    Add comment