Data Structure

Main Data Structures

PlantUML Diagram Loading...

Info

Although the data types are basically JSON format types, the following two types are used exceptionally for explanation.

Date Date and time information. Handled as a string type in ISO8601 format in JSON.
Buffer Binary (byte array) information. Handled as a string type in Base64Url format in JSON.

FSS WebAPI mainly handles “user data” and “credential data”.

User Data
- Handles user information.
- Basically, it handles the information of PublicKeyCredentialUserEntity in WebAuthn.
Credential Data
- Handles information on credentials (public keys for FIDO authentication processing, etc.).
- Basically, it handles the information of PublicKeyCredential in WebAuthn and AuthenticatorAttestationResponse used inside it.
- Information held in binary format in AuthenticatorAttestationResponse is expanded and held in a format that is easy to handle.
- One user data is associated with 0 to n credential data.

For both data, as FSS original items, there are items called attributes for holding application-specific information and a disabled flag item.

User Data

The format of user data is as follows.

interface UserData {
	rpId : string,
	userId : Buffer,
	userName : string,
	displayName : string | null,
	userAttributes : { [key : string] : any} | null,
	disabled : boolean,
	registered : Date,
	updated : Date,
	enabledCredentialCount : number,
	credentialCount : number,
}

Key	Type	Content
rpId	string	RP ID.
userId	Buffer	User ID. A Base64Url encoded string of `id` of `PublicKeyCredentialUserEntity`.
userName	string	User name. Corresponds to `name` of `PublicKeyCredentialUserEntity`. *Since user identification is done by userId, duplication of userName is allowed by default, but it can be prohibited by RP settings.
displayName	string \| null	Display name. Corresponds to `displayName` of `PublicKeyCredentialUserEntity`.
userAttributes	{ [key : string] : any } \| null	User attributes. Stores additional information that can be freely set by the FSS WebAPI user. A JSON object format or `null` can be set.
disabled	boolean	Disabled flag. If `true`, the record is invalid.
registered	Date	A string representing the registration date and time in ISO8601 format.
updated	Date	A string representing the update date and time in ISO8601 format.
enabledCredentialCount	number	The number of valid (`disabled` is `false`) credential data associated with the user.
credentialCount	number	The number of credential data associated with the user. Includes credential data that is considered invalid.

Credential Data

The format of credential data is as follows.

interface CredentialData {
	rpId : string,
	userId : Buffer,
	credentialId : Buffer,
	credentialName : string | null,
	credentialAttributes : { [key : string] : any} | null,
	format : string,
	userPresence : boolean,
	userVerification : boolean,
	backupEligibility : boolean,
	backupState : boolean,
	attestedCredentialData : boolean,
	extensionData : boolean,
	aaguid : string | null,
	aaguidModelName : string | null,
	publicKey : Buffer,
	transportsRaw : string | null,
	transportsBle : boolean | null,
	transportsHybrid : boolean | null,
	transportsInternal : boolean | null,
	transportsNfc : boolean | null,
	transportsUsb : boolean | null,
	discoverableCredential : boolean | null,
	enterpriseAttestation : boolean,
	vendorId : string | null,
	authenticatorId : string | null,
	attestationObject : Buffer,
	authenticatorAttachment : string | null,
	credentialType : string,
	clientDataJson : string,
	clientDataJsonRaw : string,
	lastAuthenticated : Date | null,
	lastSignCounter : number | null,
	disabled : boolean,
	registered : Date,
	updated : Date,
}

Key	Type	Content
rpId	string	RP ID.
userId	Buffer	User ID. A Base64Url encoded string of `id` of `PublicKeyCredentialUserEntity`.
credentialId	Buffer	Credential ID. A Base64Url encoded string of `credentialId` of `AttestedCredentialData`.
credentialName	string \| null	Credential name. Can be arbitrarily specified by the FSS WebAPI user at the time of credential registration.
credentialAttributes	{ [key : string] : any} \| null	Credential attributes. Stores additional information that can be freely set by the FSS WebAPI user. A JSON object format or `null` can be set.
format	string	Attestation format. Corresponds to `fmt` of `AttestationObject`.
userPresence	boolean	`true` if user presence was performed at the time of credential registration. Corresponds to `UP` of `flags` of `AuthenticatorData`.
userVerification	boolean	`true` if user verification was performed at the time of credential registration. Corresponds to `UV` of `flags` of `AuthenticatorData`.
backupEligibility	boolean	`true` if there is backup eligibility at the time of credential registration. Corresponds to `BE` of `flags` of `AuthenticatorData`.
backupState	boolean	`true` if a backup is being performed at the time of credential registration. Corresponds to `BS` of `flags` of `AuthenticatorData`.
attestedCredentialData	boolean	`true` if attested credential data exists at the time of credential registration. Corresponds to `AT` of `flags` of `AuthenticatorData`. (Since a credential cannot be registered if AttestedCredentialData does not exist, it will always be true)
extensionData	boolean	true if extension information exists at the time of credential registration. Corresponds to `ED` of `flags` of `AuthenticatorData`.
aaguid	string \| null	AAGUID of the registered authenticator. Corresponds to `aaguid` of `AttestedCredentialData`.
aaguidModelName	string \| null	Authenticator model name derived from AAGUID and MDS (FIDO Alliance MetaData Service). `null` if the corresponding information does not exist.
publicKey	Buffer	Public key. Corresponds to `credentialPublicKey` of `AttestedCredentialData`.
transportsRaw	string \| null	Corresponds to the execution result of the `getTransports()` method of `AuthenticatorAttestationResponse`. Can be recorded by setting the transports parameter in the registerCredential/finish call parameter.
transportsBle	boolean \| null	`true` if the authenticator supports transport by BLE.
transportsHybrid	boolean \| null	`true` if the authenticator supports transport by hybrid authentication.
transportsInternal	boolean \| null	`true` if the authenticator supports internal transport.
transportsNfc	boolean \| null	`true` if the authenticator supports transport by NFC.
transportsUsb	boolean \| null	`true` if the authenticator supports transport by USB.
discoverableCredential	boolean \| null	`true` if the authentication information is a DiscoverableCredential. (Corresponds to `rk` of the `credProps` extension. May not be available on platforms that do not support the `credProps` extension)
enterpriseAttestation	boolean	true if FSS can confirm that it is EnterpriseAttestation.
vendorId	string \| null	Vendor ID when EnterpriseAttestation is confirmed (FSS original definition). As of 2025/08, only `yubico`.
authenticatorId	string \| null	Identifier such as serial number when EnterpriseAttestation is confirmed.
attestationObject	Buffer	The entire `AttestationObject`.
authenticatorAttachment	string \| null	A string indicating the authenticator type (platform authenticator/cross-platform authenticator). Corresponds to `authenticatorAttachment` of `PublicKeyCredential`.
credentialType	string	Credential type. Corresponds to `type` of `PublicKeyCredential`. Fixed to “public-key”.
clientDataJson	string	Client data JSON. Corresponds to the Base64Url decoded `clientDataJSON` item of `AuthenticatorAttestationResponse`.
clientDataJsonRaw	Buffer	Binary representation of client data JSON. Corresponds to the `clientDataJSON` item of `AuthenticatorAttestationResponse`.
lastAuthenticated	Date \| null	Last authentication date and time. `null` if not yet authenticated.
lastSignCounter	number \| null	Internal counter value at the time of the last authentication. Corresponds to the `signCount` item of `AuthenticatorData`.
disabled	boolean	Disabled flag. If `true`, the record is invalid.
registered	Date	A string representing the registration date and time in ISO8601 format.
updated	Date	A string representing the update date and time in ISO8601 format. *`lastAuthenticated` and `lastSignCounter` are updated at the time of authentication, but `updated` is not updated when this data is updated.

Other Data Structures

These are types used in some API calls.

Credential Name Setting Data

This is a data structure for setting the credential name from the registration content at the time of credential registration. If a string is specified for this type, it is considered that only the name property is set.

type Fido2CredentialNameParameter = {
	name : string;
	nameIfModelNameExists? : string;
	nameIfEnterpriseAttestationExists? : string;
} | string | undefined;

Key	Type	Content
name	string	Credential name.
nameIfModelNameExists	string	Credential name used when the authenticator type can be obtained from AAGUID. If omitted or if the authenticator type cannot be obtained, the `name` property is used.
nameIfEnterpriseAttestationExists	string	Credential name used when FSS can confirm that it is EnterpriseAttestation. If omitted or if it is not EnterpriseAttestation, the `nameIfModelNameExists` property is used.

Info

Each property of Fido2CredentialNameParameter can include the following placeholders, which will be replaced with the actual values at the time of registration.

$$: Replaced with $.
$modelName: Product model name derived from AAGUID.
$authenticatorId: Authenticator ID (serial number, etc.) derived from the certificate in the case of EnterpriseAttestation.