PublicKeyCredential: toJSON() method

Baseline 2025

Newly available

Since ⁨March 2025⁩, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.

Secure context: This feature is available only insecure contexts (HTTPS), in some or allsupporting browsers.

ThetoJSON() method of thePublicKeyCredential interface returns aJSON type representation of aPublicKeyCredential.

The properties of the returned object depend on whether the credential is returned bynavigator.credentials.create() whencreating a key pair and registering a user, ornavigator.credentials.get() whenauthenticating a user.

This method is automatically invoked when web app code callsJSON.stringify() to serialize aPublicKeyCredential so that it can be sent to relying party server when registering or authenticating a user.It not intended to be called directly in web app code.

Syntax

toJSON()

Parameters

None.

Return value

AJSON type representation of aPublicKeyCredential object.

The included properties depend on whether the credential was returned bynavigator.credentials.create() on registration, ornavigator.credentials.get() when authenticating a user.The values and types of included properties are the same as forPublicKeyCredential, with the exception thatbase64url-encoded strings are used in place of buffer properties.

The object properties are:

id

The value returned byPublicKeyCredential.id.

rawId

Abase64url-encoded version ofPublicKeyCredential.rawId.

authenticatorAttachmentOptional

The value returned byPublicKeyCredential.authenticatorAttachment.

type

The string"public-key".

clientExtensionResults

An array containingbase64url-encoded versions of the values returned byPublicKeyCredential.getClientExtensionResults().

response

The response property object depends on whether the credentials are returned following a registration or authentication operation.

When registering a new userresponse will be a JSON-type representation ofAuthenticatorAttestationResponse where buffer values have beenbase64url encoded.
When authenticating a user the returned value will be a JSON-type representation version ofAuthenticatorAssertionResponse where buffer values have beenbase64url encoded.

Exceptions

SecurityErrorDOMException: The RP domain is not valid.

Examples

When registering a new user, a relying party server will supply information about the expected credentials to the web app.The web app callsnavigator.credentials.create() with the received information (createCredentialOptions below), which returns a promise that fulfills with the new credential (aPublicKeyCredential).

const newCredentialInfo = await navigator.credentials.create({  createCredentialOptions,});

The web app then serializes the returned credential usingJSON.stringify() (which in turn callstoJSON()) and posts it back to the server.

const registrationURL = "https://example.com/registration";const apiRegOptsResp = await fetch(registrationURL, {  method: "POST",  headers: { "Content-Type": "application/json" },  body: JSON.stringify(newCredentialInfo), // Calls newCredentialInfo.toJSON});