WebAuthn

clientDataJSON Decoder

Decode the base64url-encoded clientDataJSON sent in WebAuthn registration and assertion ceremonies. Surfaces type, challenge, origin, crossOrigin, and computes the SHA-256 the authenticator signs over.

Input

clientDataJSON (base64url) or raw JSON.

Decoded

Paste clientDataJSON.

All decoding runs locally.

About clientDataJSON

clientDataJSON is generated by the browser at the moment of navigator.credentials.create() or .get(). It binds the challenge, origin, and ceremony type into a JSON blob; the SHA-256 of the raw bytes is what the authenticator signs over (along with authenticatorData). Origin verification on the RP is the load-bearing anti-phishing primitive in WebAuthn.

Spec

WebAuthn Level 2 §5.8.

Companion

authenticatorData parser

Reading

WebAuthn — registration & authentication