Implement the conformance test API endpoints: POST /attestation/options, POST /attestation/result, POST /assertion/options, POST /assertion/result following the FIDO Alliance Conformance Test API specification in the conformance-test-tools-resources GitHub repo
Download the FIDO Alliance conformance tools (latest v1.8.0 as of early 2026) and run the FIDO2 Server test suite against your local endpoint
Address all mandatory test failures; the tool reports test IDs and expected vs actual responses — cross-reference the WebAuthn L2/L3 spec sections cited in each failure
Ensure your server correctly handles all five attestation statement formats: packed, tpm, android-key, android-safetynet (legacy), fido-u2f, and none
Submit self-conformance test results to the FIDO Alliance interoperability testing event before the deadline; successful self-conformance is a prerequisite for the interop event
After the interoperability event, apply for FIDO2 Server certification through the FIDO Alliance certification portal
Known gotchas
The conformance tool sends test credentials that are not backed by real hardware — your server must accept test AAGUID values and not reject them as untrusted during the conformance run
Many servers fail the conformance tests on edge cases: credential ID length bounds, authenticator data flag validation (UP and UV bits), and counter rollback detection — test these explicitly
The conformance API is a dedicated test interface separate from your production WebAuthn endpoints; do not expose it in production
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp