Execute the WebAuthn registration ceremony client-side using navigator.credentials.create with PublicKeyCredentialCreationOptions

Steps

1. Fetch a server-generated, cryptographically random challenge (at least 16 bytes) from your backend; never generate the challenge client-side.
2. Construct PublicKeyCredentialCreationOptions with rp.id set to a registrable domain suffix of the current origin, user.id as an opaque byte array (not PII), pubKeyCredParams listing preferred algorithms (e.g. ES256, RS256), and authenticatorSelection specifying residentKey, userVerification, and authenticatorAttachment as needed.
3. Call navigator.credentials.create({ publicKey: options }) and await the PublicKeyCredential response.
4. Extract response.rawId, response.response.clientDataJSON, response.response.attestationObject, and response.response.transports from the returned credential.
5. Send these values base64url-encoded to the server; the server must parse clientDataJSON, verify type is 'webauthn.create', verify the challenge matches and is single-use, check origin, and decode the CBOR attestation object to extract the COSE public key and store it.
6. Record the credential ID and public key (plus the aaguid and sign counter) persistently so subsequent authentication assertions can be verified.