Developer builds first TypeScript library for FIDO's new passkey-export standard, finds 5 spec bugs
The FIDO Alliance recently released the Credential Exchange Format (CXF), the first open standard for transferring passkeys, passwords, and TOTP secrets across credential managers, with Apple and Bitwarden among early adopters. Finding no TypeScript implementation available, developer Amos Wenger built cxf-kit, an open-source library featuring a parser, serializer, conformance validator, and CLI. While building against the August 2025 proposed standard, Wenger identified five specification bugs, including contradictions between the spec's own examples and its grammar, a CDDL typo that misdefines a data type, and a logical conflict in array declarations. A fifth gap leaves file-credential packaging entirely undefined, forcing each implementation to devise its own convention. The library, released as MIT-licensed version 0.1.1 on GitHub and npm, includes a lossless round-trip guarantee and a hardened CLI that is tested to never expose stored credential values in output.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in