test-passkeys.com - a hands-on playground for experimenting with WebAuthn ceremonies
15 views
Skip to first unread message
Nico Celliers
9:50 AM (3 hours ago) 9:50 AM
to FIDO Dev (fido-dev)
Hi all,
I've been building a side project to learn the WebAuthn stack properly, and it's now live at https://test-passkeys.com (with https://test-passkeys.uk as a related origin). Sharing it here in case it's useful to anyone learning or teaching passkeys.
The idea is to teach passkey implementation by doing, rather than with glossary definitions or "look, passwordless works" demos. Two main parts:
- Playground - fully configurable, educational passkeys that are never used for real auth. You set RP ID, user verification, attestation, authenticator attachment, resident key, COSE algorithms, hints, exclude-credentials, extensions, mediation, etc., run the real ceremony, and then inspect exactly what changed: the options the browser received, what the authenticator returned, and what the server verified.
- Learn - short, behaviour-focused lessons and some myth-busting, aimed at "what actually happens when I build it this way."
A couple of things this group might find interesting specifically:
- It runs across real, distinct origins (.com, .uk, plus a native iOS client) on purpose, so it can demonstrate Related Origins behaviour rather than just describe it. The Playground's RP ID is intentionally separate from the real account RP, and overriding it back to the account RP is a deliberate cross-contamination demo. Fun coincidence on the Related Origins front: I tagged v1.0.0 on 2026-06-16, which turned out to be the exact day Firefox 152 shipped - the release that finally adds Related Origin Requests support. So Firefox went from "cross-eTLD+1 RP ID throws SecurityError before any server call" to honouring /.well-known/webauthn on launch day. The app's error explainer was literally written around Firefox always failing that case, and I got to relax it the same week. (Current ROR support as I have it: Chrome/Edge >=128, Safari >=18, Firefox >=152, Opera unconfirmed - corrections welcome.)
- Real account passkeys and Playground passkeys are kept strictly separate - the playground credentials never show up in the real login picker - so you can experiment freely without polluting anything that matters.
It's a personal hobby project (I'm not selling anything, no SDK, no SaaS), built to learn, so feedback from people who actually live in this spec would be hugely welcome - especially if you spot anything I've got wrong on the protocol side. Bug reports and "that's not how that works" corrections are very welcome.
Thanks,
Nico
I've been building a side project to learn the WebAuthn stack properly, and it's now live at https://test-passkeys.com (with https://test-passkeys.uk as a related origin). Sharing it here in case it's useful to anyone learning or teaching passkeys.
The idea is to teach passkey implementation by doing, rather than with glossary definitions or "look, passwordless works" demos. Two main parts:
- Playground - fully configurable, educational passkeys that are never used for real auth. You set RP ID, user verification, attestation, authenticator attachment, resident key, COSE algorithms, hints, exclude-credentials, extensions, mediation, etc., run the real ceremony, and then inspect exactly what changed: the options the browser received, what the authenticator returned, and what the server verified.
- Learn - short, behaviour-focused lessons and some myth-busting, aimed at "what actually happens when I build it this way."
A couple of things this group might find interesting specifically:
- It runs across real, distinct origins (.com, .uk, plus a native iOS client) on purpose, so it can demonstrate Related Origins behaviour rather than just describe it. The Playground's RP ID is intentionally separate from the real account RP, and overriding it back to the account RP is a deliberate cross-contamination demo. Fun coincidence on the Related Origins front: I tagged v1.0.0 on 2026-06-16, which turned out to be the exact day Firefox 152 shipped - the release that finally adds Related Origin Requests support. So Firefox went from "cross-eTLD+1 RP ID throws SecurityError before any server call" to honouring /.well-known/webauthn on launch day. The app's error explainer was literally written around Firefox always failing that case, and I got to relax it the same week. (Current ROR support as I have it: Chrome/Edge >=128, Safari >=18, Firefox >=152, Opera unconfirmed - corrections welcome.)
- Real account passkeys and Playground passkeys are kept strictly separate - the playground credentials never show up in the real login picker - so you can experiment freely without polluting anything that matters.
It's a personal hobby project (I'm not selling anything, no SDK, no SaaS), built to learn, so feedback from people who actually live in this spec would be hugely welcome - especially if you spot anything I've got wrong on the protocol side. Bug reports and "that's not how that works" corrections are very welcome.
Thanks,
Nico
Reply all
Reply to author
Forward
0 new messages