Web SDK

The Arculus FIDO SDK for Web provides a JavaScript library (arculusfido.js) that simplifies integration with the Arculus FIDO2 Server using browser WebAuthn APIs. The SDK handles all complexity of WebAuthn API calls, session management, and server communication.

Key Features:

  • Simple JavaScript API

  • Browser WebAuthn API wrapper

  • Automatic session cookie management

  • CORS support for cross-origin deployments

  • Built-in error handling

Obtaining the SDK

Contact your Arculus representative to obtain the Web SDK distribution package. The package includes:

Component
Description

arculusfido.js

JavaScript SDK for browser WebAuthn integration

Sample Applications

Complete web apps demonstrating SDK usage

Documentation

API documentation and integration guide

The Web SDK is distributed as a JavaScript file that can be included via script tag or ES module import. See 5.5 Web Sample Applications for complete sample code.

Note: The Web SDK uses browser WebAuthn APIs and works with any WebAuthn-compatible authenticator, including Arculus FIDO2 cards via USB readers. For mobile integration with NFC, use the iOS or Android SDKs.

2.6.1 Installation

Requirements

  • Modern web browser with WebAuthn support (Chrome, Firefox, Safari, Edge)

  • HTTPS (required for WebAuthn in production)

  • Arculus FIDO2 Server accessible from your web application

Installation Methods

Method 1: Script Tag

Include the SDK in your HTML:

Method 2: ES Module Import

2.6.2 Configuration

Set FIDO Policy

Configure authentication preferences before registration or authentication:

Parameter Details:

Parameter
Default
Options
Description

attestation

"none"

none, direct, indirect

Attestation conveyance preference

attachment

"all"

platform, cross-platform, all

Authenticator type preference

userVerification

"preferred"

preferred, required, discouraged

User verification requirement

credProtect

0

0-3

Credential protection level

Set Custom Endpoints

If your Arculus FIDO2 Server deployment uses custom endpoint paths (e.g., behind a reverse proxy or API gateway), you can configure them:

Default Endpoints: If not configured, the SDK uses these default paths:

  • Registration begin: fidoapi/certify/attestation/options

  • Registration complete: fidoapi/certify/attestation/result

  • Authentication begin: fidoapi/certify/assertion/options

  • Authentication complete: fidoapi/certify/assertion/result

Note: The alias paths (/fidoapi/register/begin, etc.) are also supported by the FIDO2 Server. Only configure custom endpoints if your deployment uses different paths.

2.6.3 Registration

Client-Direct Pattern

The client-direct pattern allows your web application to communicate directly with the FIDO2 server.

Function Signature

Returns: Promise resolving to response object with status, result/error, and statuscode fields.

Note: The SDK parameter is displayname (lowercase 'n'), but JavaScript is case-insensitive for parameter names, so displayName also works.

Registration Sequence Diagram

spinner

Basic Registration

Registration with Custom Server URL

When the FIDO2 Server is on a different domain:

Registration with Additional Parameters

Pass tenant or session information via query parameters or headers:

Registration Response

Note: Error responses may contain either an error field (for network/parsing errors) or a result field (for server response errors), but not both.

2.6.4 Authentication

Client-Direct Pattern

Function Signature

Returns: Promise resolving to response object with status, result, jwtToken (if present), and statuscode fields.

Authentication Sequence Diagram

spinner

Basic Authentication

Authentication Response

Important Notes:

  • JWT Token: The jwtToken field is extracted from the HTTP Authorization response header, not from the response body. If the server does not include this header, jwtToken will be undefined.

  • Result Field: On success, the result field contains the full fetch Response object, not parsed JSON. To access the response body, use await result.result.json().

  • Error Format: Error responses may contain either a result field (for server responses) or an error field (for network/WebAuthn errors), but not both.

2.6.5 CORS Configuration

When your web application and FIDO2 Server are on different domains:

Server Requirements

The FIDO2 Server supports CORS with:

  • Access-Control-Allow-Origin header

  • Access-Control-Allow-Credentials: true

Client Requirements

Ensure fetch calls include credentials:

2.6.6 Session Management

The SDK uses cookies to maintain session state between begin and complete calls:

  • Cookies are sent with credentials: 'include'

  • Server sets session cookie with SameSite=None; Secure

  • Session expires after timeout (default 60 seconds)

Relying Party Header

For multi-tenant deployments, specify the relying party using the addHeaders parameter:

2.6.7 Error Handling

Common Errors and Solutions

Error
Cause
Solution

"Session expired"

Begin/complete took too long

Retry the flow from begin

"No account for user"

Username not registered

Direct user to registration

"Unknown relying party"

Invalid domain configuration

Check X-ArculusFido-RelyingParty header

"Domain mismatch"

Origin doesn't match RP ID

Ensure client domain matches server config

"Connection timeout"

Server unreachable

Check network and server status

Error Handling Pattern

For detailed error codes, see 2.7 Error Codes.

2.6.8 Complete Sample Applications

For complete web application examples, including HTML structure, error handling, multi-tenant support, and cross-origin configurations, see 5.5 Web Sample Applications in the Appendix.

2.6.9 Security Best Practices

Transport Security

  • Always use HTTPS in production

  • Validate SSL certificates

Origin Validation

  • Server validates request origin against relying party

  • Ensure client domain is registered

User Verification

  • Use required for high-security operations

  • Use preferred for balanced security/UX

Token Storage

  • Store JWT tokens securely (HttpOnly cookies preferred)

  • Implement token refresh mechanisms

Error Messages

  • Don't expose internal errors to users

  • Log detailed errors server-side

Last updated