Web Authentication API server for PHP

v0.9.0 2022-11-16 10:56 UTC


Scrutinizer Code Quality Code Coverage Build Status License: MIT

Current state

Pretty stable but the API may still change slightly until the 1.0 release.


This library aims to implement the relying party server of the WebAuthn specification in PHP. Important goals are:

  • Implement the level 1 WebAuthn specification
  • Good quality, secure and maintainable code
  • Easy to use for the end-user


Installation via composer:

composer require madwizard/webauthn

Supported features

  • PHP 7.2

  • FIDO conformant library
  • Attestation types:
    • FIDO U2F
    • Packed
    • TPM
    • Android SafetyNet
    • Android Key
    • Apple
    • None
    • Optional 'unsupported' type to handle future types
  • Metadata service support
  • Validating metadata
  • Extensions:
    • appid


The library is still in development so documentation is limited. The general pattern to follow is:

  1. Implement CredentialStoreInterface (you will need UserCredential or your own implementation of UserCredentialInterface)
  2. Create an instance of RelyingParty and use the ServerBuilder class to build a server object:
$server = (new ServerBuilder())
  1. Use startRegistration/finishRegistration to register credentials. Be sure to store the temporary AttestationContext server side!
  2. and startAuthentication/finishAuthentication to authenticate. Be sure to store the temporary AssertionContext server side!


WebAuthn specification