WebAuthn Challenge Viewer
Validate a WebAuthn challenge. Reports length, Shannon entropy, and warns about common mistakes (under-length, ASCII-shaped strings, Math.random output). Can also generate fresh 32-byte challenges using the platform CSPRNG.
Input
Inspection
Paste a challenge or click Generate.
All decoding runs locally.
About WebAuthn challenges
The challenge is the freshness anchor in every WebAuthn ceremony — without one, signatures can be replayed. The spec mandates ≥16 random bytes, and security guidance is 32. Generate server-side with a CSPRNG, bind to the user session, expire after a short window.
Spec
WebAuthn Level 2 §13.4.3.
Pitfall
Never use Math.random or string concatenation. Use crypto.randomBytes / crypto.getRandomValues / SecureRandom.