What do pubKeyCredParams and the alg value (e.g. -7) specify in WebAuthn, and what does -7 mean?
pubKeyCredParams is the relying party's ordered list of acceptable public-key algorithms; alg: -7 is the COSE identifier for ES256 (ECDSA with the P-256 curve and SHA-256).
When the relying party requests a credential, it lists which signature algorithms it will accept in pubKeyCredParams. Each entry has an alg number from the COSE (CBOR Object Signing and Encryption) algorithm registry maintained by IANA:
-7→ ES256 (ECDSA on P-256 with SHA-256) — the common default.-257→ RS256 (RSASSA-PKCS1-v1_5 with SHA-256).
The list is ordered most-preferred → least-preferred. The authenticator takes a best-effort approach: it picks the first algorithm in the list that it actually supports and generates that kind of key pair.
Tip: The full algorithm list lives at the IANA COSE registry. The negative numbers aren't errors — COSE just uses negative integers for many signature algorithms.
Go deeper:
IANA COSE Algorithms registry — the authoritative table mapping -7→ES256 and -257→RS256.