Deepak Gupta

Client to Authenticator Protocol 2

CTAP2.

The FIDO Alliance protocol that lets a browser communicate with an external authenticator (USB security key, NFC token, BLE device) to perform WebAuthn operations.

CTAP2 is implemented inside the browser and inside FIDO2 hardware tokens (YubiKey, Feitian, Google Titan). Web developers do not write CTAP2 directly, they write WebAuthn, and the browser handles the CTAP2 conversation with whatever authenticator is connected.

Common questions

Is CTAP2 the same as WebAuthn?

Do I need to implement CTAP2 myself?

What's the difference between CTAP1 and CTAP2?

Related terms

In the guides

WebAuthn Explained: How Passkeys Work Under the Hood
WebAuthn is the W3C browser API that powers passkeys. A practical explanation of registration, assertion, RP-IDs, attestation, and the architecture choices that determine adoption.