WebAuthn Response Decoder

WebAuthn attestation is the process by which an authenticator proves its legitimacy to a relying party during registration. The attestationObject contains a cryptographic statement about the authenticator's model and the public key it generated. It is CBOR-encoded and can be decoded to inspect its format, attestation statement, and authenticator data.

Developers often need to inspect attestation objects to debug registration flows, verify AAGUID, extract credential IDs, or understand the authenticator's capabilities. A decoder turns raw bytes into human-readable JSON, making troubleshooting and integration work much easier.

You can obtain the attestation format (e.g., packed, tpm, none), the attestation statement (signatures, certificates), the authenticator data (rpIdHash, flags, signCount, AAGUID, credential ID, and public key). Our tool breaks down the authData further to show each field.

AAGUID (Authenticator Attestation GUID) is a 16-byte identifier that indicates the authenticator's make and model. It can be used to apply security policies or recognize specific hardware tokens. Our parser displays it in both hex and UUID format.

Absolutely. All decoding happens entirely inside your browser – no data is ever transmitted to any server. You can even disconnect your internet after loading the page and the tool will still work.

You can use a CBOR library like cbor-x to decode the attestationObject ArrayBuffer: const obj = CBOR.decode(attestationBuffer); Then parse the authData binary manually using DataView to extract rpIdHash, flags, AAGUID, etc.

The clientDataJSON is a JSON‑serialized object that contains the challenge, origin, and type (e.g., webauthn.create). It is not part of the attestationObject but is sent alongside it during registration. Our tool can decode it separately.