Para criar e autenticar com chaves de acesso, use a API WebAuthn para a Web ou a API Credential Manager para apps Android. Essas APIs gerenciam a comunicação entre o cliente e o provedor da chave de acesso.
Embora essas APIs sejam chamadas de um cliente como uma página da Web ou um app Android, você precisa implementar o restante da funcionalidade no servidor para concluir seus casos de uso de autenticação.
Uma implementação de chave de acesso consiste em duas funcionalidades:
Registro de chave de acesso. Use a API WebAuthn ou a API Credential Manager para permitir que o usuário crie uma chave de acesso. Armazenar a chave pública associada no servidor.
Autenticação com uma chave de acesso. Receba um desafio de autenticação no servidor e use a API WebAuthn ou a API Credential Manager para permitir que o usuário assine esse desafio com a chave de acesso. Verificar a assinatura no servidor. Se a assinatura for válida, autentique o usuário.
Bibliotecas do lado do servidor
Embora seja possível implementar a funcionalidade de chaves de acesso do lado do servidor do zero, recomendamos que você use uma biblioteca.
Um servidor compatível com a criação e autenticação de chaves de acesso é chamado de servidor FIDO2 ou servidor FID. Por extensão, vamos nos referir aqui às bibliotecas do lado do servidor que implementam o suporte a chaves de acesso como bibliotecas do lado do servidor FIDO.
Por que usar uma biblioteca?
O uso de uma biblioteca FIDO do lado do servidor tem várias vantagens:
Tempo e experiência do desenvolvedor. A especificação WebAuthn é complexa. As bibliotecas do lado do servidor FIDO podem fornecer APIs simples para implementar chaves de acesso, o que pode economizar tempo e recursos de desenvolvimento.
Capacidade de manutenção. A especificação do WebAuthn ainda está sujeita a mudanças. Usar a versão mais recente de uma biblioteca mantida ativamente ajuda a manter sua implementação atualizada.
Segurança e compliance. Você quer que a implementação da chave de acesso esteja em conformidade com a especificação WebAuthn e os requisitos de segurança dela. As bibliotecas do lado do servidor FIDO podem ajudar a manter sua implementação segura e em conformidade com a especificação. Dependendo do produto e do setor, a implementação também pode estar sujeita a regulamentações que exigem o uso de padrões de segurança específicos para autenticação.
Se possível, considere financiar os projetos de código aberto de que seu produto se baseia.
[null,null,["Última atualização 2025-07-25 UTC."],[[["\u003cp\u003ePasskeys utilize passkey providers, like Google Password Manager or Apple iCloud Keychain, for secure credential generation and authentication.\u003c/p\u003e\n"],["\u003cp\u003eServer-side implementation involves passkey registration (storing public keys) and authentication (verifying signatures).\u003c/p\u003e\n"],["\u003cp\u003eUsing FIDO server-side libraries is recommended for simplified implementation, maintainability, and enhanced security.\u003c/p\u003e\n"],["\u003cp\u003eSeveral curated lists of FIDO server-side libraries are available for various programming languages, including JavaScript, Go, and Python.\u003c/p\u003e\n"]]],[],null,["# Introduction to server-side passkey implementation\n\n| **Note:** This article is part of a series on server-side passkey implementation. Explore the other articles in this series: [Server-side passkey registration](/identity/passkeys/developer-guides/server-registration) and [Server-side passkey authentication](/identity/passkeys/developer-guides/server-authentication).\n\nOverview\n--------\n\nWhen using [synchronized passkeys](https://developers.google.com/identity/passkeys/supported-environments#:%7E:text=Passkeys%20can%20be%20synchronized%20across%20devices%20in%20the%20same%20ecosystem), people authenticate with a *passkey provider*.\n| **Key Term:** A *passkey provider* is a piece of software used to generate and provide cryptographically-secure credentials. Examples of passkey providers include Google Password Manager, Apple iCloud Keychain, Windows Hello, Dashlane and more.\n\nTo create and authenticate with passkeys, you will use the [WebAuthn API](https://developer.mozilla.org/docs/Web/API/Web_Authentication_API) for the web, or the [Credential Manager API](https://developer.android.com/training/sign-in/passkeys) for Android apps. These APIs handle the communication between the client and the passkey provider.\n\nWhile these APIs are called from a client such as a web page or Android app, you need to implement the rest of the functionality on the server to complete your authentication use cases.\n\nA passkey implementation consists of two functionalities:\n\n1. **Passkey registration.** Use the WebAuthn API or the Credential Manager API to let the user create a passkey. Store the associated public key on the server.\n2. **Authentication with a passkey**. Get an authentication challenge from the server and use the WebAuthn API or Credential Manager API to let the user sign this challenge with their passkey. Verify the signature on the server. If the signature is valid, authenticate the user.\n\nServer-side libraries\n---------------------\n\nWhile it's possible to implement server-side passkeys functionality from scratch, we recommend that you rely on a library instead.\n\nA server that supports passkey creation and authentication is called a *FIDO2 server* , or *FIDO server* for short. By extension, we'll refer here to server-side libraries that implement passkey support as *FIDO server-side libraries*.\n| **Note:** [FIDO2](https://fidoalliance.org/specifications/) is an umbrella term for the effort that produced the [WebAuthn API](https://developer.mozilla.org/docs/Web/API/Web_Authentication_API) and the [CTAP2 protocol](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) that passkeys rely on.\n\n### Why use a library?\n\nUsing a FIDO server-side library has several advantages:\n\n- **Time and developer experience.** The [WebAuthn specification](https://www.w3.org/TR/webauthn/) is complex. FIDO server-side libraries can provide simple APIs for implementing passkeys, which can save you time and development resources.\n- **Maintainability.** The [WebAuthn specification](https://www.w3.org/TR/webauthn/) is still subject to change. Using the latest version of an actively maintained library helps keep your implementation up-to-date.\n- **Security and compliance.** You want your passkey implementation to conform to the WebAuthn specification and its security requirements. FIDO server-side libraries can help you keep your implementation secure and compliant with the specification. Depending on your product and industry, your implementation may also be subject to regulations that require you to use specific security standards for authentication.\n\nIf possible, consider financially supporting open source projects your product relies on.\n\n### Libraries\n\n| **Note:** To select your passkey library, refer to the [selection criteria](https://web.dev/blog/passkey-lib-criteria).\n\n- The [awesome-webauthn](https://github.com/herrjemand/awesome-webauthn) GitHub repository includes a [community-curated list of server-side libraries](https://github.com/herrjemand/awesome-webauthn#server-libraries). You'll find libraries for JavaScript and TypeScript, Go, Python, and more.\n- A [collection of libraries](https://passkeys.dev/docs/tools-libraries/libraries/) is available on [passkeys.dev](https://passkeys.dev/). It's maintained by the [W3C WebAuthn Adoption Community Group](https://www.w3.org/community/webauthn-adoption/).\n- FIDO Alliance references a [collection of FIDO2 servers](https://fidoalliance.org/certification/fido-certified-products/).\n\nNext up\n-------\n\n- [Server-side passkey registration](/identity/passkeys/developer-guides/server-registration)\n- [Server-side passkey authentication](/identity/passkeys/developer-guides/server-authentication)"]]
