{"id":3319,"library":"webauthn","title":"WebAuthn Python Library","description":"The `webauthn` library provides a Pythonic implementation for integrating WebAuthn (Web Authentication API) into web applications, enabling strong, phishing-resistant, and passwordless authentication. It handles the server-side verification and generation of WebAuthn credentials, abstracting away the complexities of the FIDO2 protocol. The library is actively maintained with a relatively frequent release cadence, with the current version being 2.7.1, and supports Python 3.9 and newer.","status":"active","version":"2.7.1","language":"en","source_language":"en","source_url":"https://github.com/duo-labs/py_webauthn","tags":["security","webauthn","fido2","authentication","mfa","passwordless"],"install":[{"cmd":"pip install webauthn","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Optional dependency for supporting ML-DSA (Post-Quantum Cryptography) public keys for authenticators with PQC capabilities.","package":"dilithium-py","optional":true}],"imports":[{"symbol":"generate_registration_options","correct":"from webauthn import generate_registration_options"},{"symbol":"verify_registration_response","correct":"from webauthn import verify_registration_response"},{"symbol":"generate_authentication_options","correct":"from webauthn import generate_authentication_options"},{"symbol":"verify_authentication_response","correct":"from webauthn import verify_authentication_response"},{"note":"The helper is exposed directly under `webauthn.helpers`.","wrong":"from webauthn.helpers.options_to_json_dict import options_to_json_dict","symbol":"options_to_json_dict","correct":"from webauthn.helpers import options_to_json_dict"}],"quickstart":{"code":"import os\nfrom webauthn import generate_registration_options\nfrom webauthn.helpers.structs import PublicKeyCredentialUserEntity\n\n# Placeholder values (in a real app, these would come from your user management)\nRP_ID = \"localhost\" # Or your domain, e.g., \"example.com\"\nRP_NAME = \"My Awesome App\"\nUSER_ID = os.environ.get('WEBAUTHN_USER_ID', 'test_user_id').encode('utf-8')\nUSER_NAME = os.environ.get('WEBAUTHN_USER_NAME', 'testuser')\nUSER_DISPLAY_NAME = os.environ.get('WEBAAUTHN_USER_DISPLAY_NAME', 'Test User')\n\nuser_entity = PublicKeyCredentialUserEntity(\n    id=USER_ID,\n    name=USER_NAME,\n    display_name=USER_DISPLAY_NAME,\n)\n\nregistration_options = generate_registration_options(\n    rp_id=RP_ID,\n    rp_name=RP_NAME,\n    user_entity=user_entity,\n    challenge=os.urandom(16) # A new random challenge for each registration attempt\n)\n\nprint(\"Generated WebAuthn Registration Options:\")\nprint(registration_options)\n# In a real application, you would serialize these options (e.g., to JSON)\n# and send them to the client-side JavaScript for WebAuthn API calls.","lang":"python","description":"This quickstart demonstrates how to generate registration options, which is the first step in registering a new WebAuthn credential. It uses placeholder values for RP (Relying Party) and user details. In a real application, these would be dynamic and securely managed. The generated options are then sent to the client-side JavaScript for interaction with the user's authenticator."},"warnings":[{"fix":"Upgrade your Python environment to 3.9 or higher. For example, `pyenv install 3.9.18 && pyenv global 3.9.18`.","message":"The minimum supported Python version was bumped to Python 3.9. Users on older Python versions (3.8 or below) will need to upgrade their Python environment to use `webauthn>=2.3.0`.","severity":"breaking","affected_versions":">=2.3.0"},{"fix":"Install the optional dependency: `pip install 'webauthn[pqc]'` or `pip install dilithium-py`.","message":"Support for ML-DSA (Post-Quantum Cryptography) public keys for authenticators was introduced, but it requires an optional dependency (`dilithium-py`). If you intend to support PQC-enabled authenticators, this dependency must be explicitly installed.","severity":"gotcha","affected_versions":">=2.8.0-alpha1"},{"fix":"Review your serialization needs. If a custom encoding is required, pass a `Callable[[bytes], Any]` to the `bytes_encoder` argument when calling `options_to_json_dict`.","message":"The `webauthn.helpers.options_to_json_dict` helper introduced a `bytes_encoder` argument. If not specified, `bytes` values are Base64URL encoded by default. Custom encoding logic might be required for specific client-side interoperability or if your application expects a different serialization format for byte arrays.","severity":"gotcha","affected_versions":">=2.7.0"},{"fix":"Update your code to use `Dict[str, Any]` or other specific `dict` type hints where appropriate when interacting with the library's types, or adjust your type checker's configuration if necessary.","message":"Type annotations for bare `dict`s were replaced with `Dict[str, Any]` for stricter type checking. While this doesn't break runtime behavior, it might cause issues with type checkers (e.g., MyPy) in projects with strict configurations.","severity":"gotcha","affected_versions":">=2.7.1"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}