Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Terminology and Glossary

This document clarifies the terminology used in WebAuthn, OAuth2, and this library. Many identifier terms can be confusing because the same concept has different names in different contexts.

User Identifiers

Quick Reference

TermContextDescription
user_idThis library (database)Application’s internal user identifier (database primary key)
user_handleThis library (database)WebAuthn user identifier stored with credentials
user.idWebAuthn registrationUser identifier in PublicKeyCredentialUserEntity
userHandleWebAuthn authenticationReturned in AuthenticatorAssertionResponse
userIdSignal APIParameter name for user identifier

Key Distinction

user_id is different from user_handle/user.id/userHandle/userId.

  • user_id: The application’s internal database identifier for the user account
  • user_handle: The WebAuthn-specific identifier that the authenticator stores and returns

The terms user_handle, user.id, userHandle, and userId all refer to the same value - just in different contexts:

  • Registration: user.id in PublicKeyCredentialUserEntity
  • Authentication: userHandle in AuthenticatorAssertionResponse
  • Signal API: userId parameter
  • This library’s database: user_handle column

Database Relationship

Application Database:
+---------------------------------------------+
| users table                                 |
|   user_id (PK) ------------------+          |
|   account, label                 |          |
+----------------------------------|---------+
                                   v
+---------------------------------------------+
| passkey_credentials table                   |
|   credential_id (PK)                        |
|   user_id (FK) <----------------|          |
|   user_handle --------> WebAuthn user.id    |
|   public_key, aaguid                        |
+---------------------------------------------+

WebAuthn Term Aliases:
  Registration:   user.id --------+
  Authentication: userHandle -----+---> Same value
  Signal API:     userId ---------+
  This library:   user_handle ----+

Credential Identifiers

TermContextDescription
credential_idThis library (database)Base64URL-encoded credential identifier
credentialIdWebAuthn/Signal APIRaw credential identifier (Uint8Array or Base64URL)
idPublicKeyCredentialSame as credentialId, Base64URL-encoded
rawIdPublicKeyCredentialSame as credentialId, ArrayBuffer format

Encoding Note

In JavaScript, credential IDs come in two formats from PublicKeyCredential:

  • id: Base64URL-encoded string
  • rawId: Raw ArrayBuffer

This library stores credential IDs as Base64URL-encoded strings in the database.

Session Identifiers

TermContextDescription
session_idThis libraryInternal session identifier stored in cache
session_cookieHTTPCookie value sent to the client
SessionIdType wrapperType-safe wrapper for session identifiers
SessionCookieType wrapperType-safe wrapper for session cookie values

OAuth2 Identifiers

TermContextDescription
providerThis libraryOAuth2 provider name (e.g., “google”)
provider_user_idThis libraryUser ID from the OAuth2 provider
subOIDCSubject identifier in ID token (same as provider_user_id)

Type-Safe Wrappers

This library uses type-safe wrappers to prevent identifier confusion at compile time. See Type-Safe Validation for details.

TypeWrapsDescription
UserIdStringDatabase user identifier
CredentialIdStringPasskey credential identifier
SessionIdStringSession identifier
SessionCookieStringSession cookie value
UserHandleStringWebAuthn user handle
ProviderStringOAuth2 provider name
ProviderUserIdStringOAuth2 provider’s user ID

Common Confusion Points

1. user_id vs user_handle

#![allow(unused)]
fn main() {
// WRONG: These are different!
let user_id = "db_user_123";      // Database primary key
let user_handle = "webauthn_abc"; // WebAuthn identifier

// They relate to different concepts:
// - user_id: Identifies the user in YOUR application
// - user_handle: Identifies the user to the AUTHENTICATOR
}

2. Multiple credentials, one user

A single user (user_id) can have multiple passkey credentials, each with its own credential_id. Depending on configuration, they may share the same user_handle or each have a unique one.

Configurationuser_handle per credential
PASSKEY_USER_HANDLE_UNIQUE_FOR_EVERY_CREDENTIAL=false (default)Shared
PASSKEY_USER_HANDLE_UNIQUE_FOR_EVERY_CREDENTIAL=trueUnique

3. Signal API userId parameter

The Signal API uses userId as the parameter name, but this is the WebAuthn user handle, not the application’s user_id:

// CORRECT: userId here is the user_handle value
PublicKeyCredential.signalAllAcceptedCredentials({
    rpId: "example.com",
    userId: base64urlEncode(user_handle),  // NOT user_id!
    allAcceptedCredentialIds: [...]
});

See Also