Add the androidx.credentials:credentials dependency (and credentials-play-services-auth for Google Play Services compatibility) to your Android project
Fetch registration options from your server's /webauthn/register/begin endpoint, then call credentialManager.createCredential() with a CreatePublicKeyCredentialRequest built from the options JSON
Parse the CreatePublicKeyCredentialResponse JSON and POST the attestation response to your server's /webauthn/register/finish endpoint for verification
For authentication, fetch challenge options from /webauthn/login/begin, then call credentialManager.getCredential() with a GetPublicKeyCredentialOption; handle GetCredentialException.TYPE_NO_CREDENTIAL for the case where no passkey exists
Parse the GetCredentialResponse, extract the PublicKeyCredential, and POST the assertion response to your server for verification
Handle the credential provider selection UX: Credential Manager aggregates from Google Password Manager and any installed third-party providers (1Password, Samsung Pass etc.) — the system bottom sheet handles selection automatically
Known gotchas
Credential Manager requires minSdk API 28 (Android 9); on older devices you must fall back to a WebView-based or legacy FIDO2 API flow
The createCredential() call can throw CreateCredentialCancellationException if the user dismisses the sheet — handle this as a non-error cancellation, not a failure
Pass the origin as the rpId in your server options matching your app's asset links (Digital Asset Links must be configured at /.well-known/assetlinks.json for the RP ID); mismatched asset links cause silent registration failures
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp