From f3392adf288972b5bba7092d1cc8901555c16a29 Mon Sep 17 00:00:00 2001
From: jxom <7336481+jxom@users.noreply.github.com>
Date: Wed, 29 Apr 2026 09:26:02 +1000
Subject: [PATCH] fix(webAuthn): send credential.raw to keys.tempo.xyz POST
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The key-manager server (Handler.keyManager in tempo.ts/server) reads
credential.response.clientDataJSON from the request body. The full
P256Credential object nests the WebAuthn response under .raw, so sending
credential directly produces credential.raw.response.clientDataJSON,
which the server can't find — resulting in a 500 (and a misleading CORS
error in the browser since the unhandled exception strips CORS headers).

Send credential.raw instead, which already has the serialized base64
shape the server expects (Registration.Credential is Credential<true>).

Amp-Thread-ID: https://ampcode.com/threads/T-019dd656-8177-7528-b2af-f75c0a8adb54
---
 src/lib/webAuthnCeremony.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/webAuthnCeremony.ts b/src/lib/webAuthnCeremony.ts
index 21a814b1..4738b83c 100644
--- a/src/lib/webAuthnCeremony.ts
+++ b/src/lib/webAuthnCeremony.ts
@@ -52,7 +52,7 @@ export function keys(options: keys.Options = {}): WebAuthnCeremony.WebAuthnCerem
       const response = await fetch(`${url}/${credential.id}`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ credential, publicKey }),
+        body: JSON.stringify({ credential: credential.raw, publicKey }),
       })
       if (!response.ok) {
         const { error } = (await response.json().catch(() => ({}))) as { error?: string }