Home

excludeCredentials

excludeCredentials is a field in the Web Authentication API used during a credential assertion request. It provides the relying party (RP) a list of credentials that should not be considered for authentication, helping to avoid re-prompts for credentials the user has already registered with the RP.

The field is an array of PublicKeyCredentialDescriptor objects. Each descriptor includes a type (typically "public-key"), an

During navigator.credentials.get with a PublicKeyCredentialRequestOptions, excludeCredentials restricts the set of credentials the authenticator may use. If

Usage scenarios include preventing re-use of certain credentials for a given login flow or guiding the user

See also: PublicKeyCredentialRequestOptions, allowCredentials, WebAuthn, CTAP.

id
(the
credential’s
unique
identifier
as
raw
bytes),
and
an
optional
transports
array
describing
how
the
credential
can
be
used
(for
example,
"internal",
"
Contactless",
or
"usb").
When
data
is
transmitted
in
JSON,
the
id
is
commonly
base64url-encoded;
in
the
WebAuthn
API
it
is
handled
as
a
binary
ArrayBuffer.
allowCredentials
is
also
specified,
the
authenticator
will
consider
only
credentials
that
are
both
allowed
and
not
excluded.
If
all
eligible
credentials
are
excluded,
the
operation
may
fail
or
the
authenticator
may
offer
alternatives
depending
on
device
capabilities
and
policy.
toward
a
different
credential.
It
is
important
to
balance
usefulness
with
privacy,
since
excludeCredentials
can
reveal
to
the
RP
or
browser
which
credentials
exist
for
a
user
at
that
RP.