During WebAuthn registration, what does the authenticator create, and what exactly gets sent to the website?
The authenticator generates a new public/private key pair; the private key stays sealed on the device, and only the public key (inside an attestation object) is sent to the relying party.
* WebAuthn registration: the device keeps the private key, sends only the public key. *
The registration sequence (navigator.credentials.create):
- User clicks "register"; the browser asks the relying party for a challenge.
- The relying party's script calls
navigator.credentials.create()with that challenge and creation options. - The user unlocks the authenticator (PIN/biometric).
- The authenticator generates a fresh key pair for this site, signs the challenge, and returns new credentials (the public key) + signed challenge.
- The browser forwards the public key to the relying party, which stores it against the user's account. Response: "Registered."
The user side is almost effortless: choose a username (often an email), pick the authenticator, unlock it. No password is ever created.
Tip: A separate key pair is generated per website, so credentials for site A can't be correlated with or used at site B — built-in protection against cross-site tracking.
Go deeper:
MDN: Web Authentication API —
navigator.credentials.create()/get()and the credential objects in detail.webauthn.io — live demo: register and log in with a passkey and watch the exact options/responses.