That's just the browser client part of the equation, this says nothing about the server side. The `challenge` part of the API, as well as storing and maintaining the necessary public keys and doing the actual validation of credentials, are left for the reader to implement in the backend.
The browser API makes it easy to program a client against passkeys, but that doesn't necessarily hold up for doing the server implementation. For that, you need to either find a library that matches your requirements, or read through guides like these: https://developers.google.com/identity/passkeys/developer-gu... that skim over a lot of details.
The browser API makes it easy to program a client against passkeys, but that doesn't necessarily hold up for doing the server implementation. For that, you need to either find a library that matches your requirements, or read through guides like these: https://developers.google.com/identity/passkeys/developer-gu... that skim over a lot of details.