[agl]

> The popular libraries seem to follow a kind of "shadow spec" where they agreed on using the URL-friendly variant of base64

WebAuthn itself uses base64url rather than base64. See, e.g., the `id` field here: https://www.w3.org/TR/webauthn-2/#iface-pkcredential

(It was probably a mistake, but it predates me so I don't know the motivation.)

> I still don't know whether it's possible to use both usernameless and usernameful passkeys simultaneously.

Non-discoverable credentials can only be used if their credential ID is passed in an allowlist. Discoverable credentials (a.k.a. "resident" in the API, although that name is a bit misleading) _can_ be enumerated in an allowlist. So they can work together, but to have the allowlist you must collect a username first or have some other way of know which account is pertinent to the current session.

[grose]

Aha, so it is part of the spec. Thanks for clarifying that. Appreciate the advice on discoverable credentials as well! I was probably leaving out the discoverable creds from the allowlist. Getting the timing down for when to ask for credentials was a bit tricky but I think I see the whole picture now.

I will say though, when it all works out it's a really nice way to log in, and my users are happy about it.