LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is the attestationObject sent at the end of WebAuthn registration?

It's the central return object from the authenticator to the website, containing the newly created public key plus metadata that lets the relying party verify and trust the credential.

The attestationObject is what completes registration on the client side. It bundles:

  • the public key of the new credential,
  • the credential ID (used later to look this credential up at login),
  • authenticator data (which relying party, sign counter, flags),
  • an attestation statement — an optional signature/certificate vouching for the authenticator's make/model, so the relying party can decide whether to trust this kind of device.

The relying party parses it, stores the public key + credential ID against the user account, and registration is done. From then on the site can verify that user's signatures.

Tip: Attestation answers "what kind of authenticator made this key, and can I trust it?" — distinct from assertion, which is the signed-challenge object you send at login to prove you hold the key.

Go deeper:

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026