Hey all π
I've released passkey-go, a Go library for handling server-side passkey (WebAuthn) assertion verification.
It provides both low-level building blocks (CBOR, COSE, authData parsing) and a high-level VerifyAssertion() function compatible with the output of navigator.credentials.get().
π Key Features
- β Pure Go β No CGO or OpenSSL dependency
- π End-to-end passkey (FIDO2/WebAuthn) support
- π§ High-level API:
VerifyAssertion(...)to validate client responses - 𧱠Low-level parsing: AttestationObject, AuthenticatorData, COSE key β ECDSA
- π§ͺ Strong error types for HTTP mapping PasskeyError
- π Base64URL-compatible and ES256-only (per WebAuthn spec)
- π Example code included for both registration and login
π‘ Why?
Most WebAuthn libraries in Go are tightly coupled to frontend flows or rely on external dependencies.
passkey-go aims to be:
- πΉ Lightweight
- πΉ Backend-only
- πΉ Easy to integrate into your own auth logic
You can issue challenges, parse assertions, and verify signaturesβall within your own backend service.
π¦ Repo:
https://github.com/aethiopicuschan/passkey-go
I'd love any feedback, bug reports, or feature suggestions (e.g., support for EdDSA, Android quirks, etc). Contributions welcome!
Thanks π
Top comments (0)