Compatibility Matrix
This page summarises which browser / OS / authenticator combinations have been verified against the Stellar Passkey Kit. The source of truth is docs/matrix/data.json; a JSON Schema governs its shape (docs/matrix/schema.json) and ajv validate -s docs/matrix/schema.json -d docs/matrix/data.json runs in CI on every push.
Snapshot version: matrix-v2026.05.19 — bumped on every CI aggregation per the YK-275 matrix-CI farm. Adopters should pin against a specific snapshot when shipping a release; new entries land on the next quarterly cadence (YK-299).
⚠️ Known gaps in this snapshot. Cells marked
partialare not bugs in the kit — they record where the test-driver itself cannot currently exercise the underlying ceremony end-to-end. Specifically:
- Firefox —
mozilla/geckodriverships virtual-authenticator endpoints, but itsCHANGES.mdexplicitly warns in 0.34.0 / 0.35.0 / 0.36.0: "several Virtual Authenticator endpoints have been reported as non-functional or behaving unexpectedly. We recommend avoiding the use of these commands until the known issues have been resolved." We track the gap under YK-272.- Safari / WebKit — Playwright cannot drive WebAuthn virtual authenticators in WebKit (microsoft/playwright #26621, verbatim from a Playwright maintainer: "This is not currently possible."). Manually validated weekly on macOS Touch ID (every Monday, recorded under
manual:safari-touchid-YYYY-MM-DDrows). Asafaridriver+selenium-webdriveraddVirtualAuthenticatorfallback formacos-14GitHub Actions runners is queued under YK-273.- Edge — same CDP API as Chromium; install needs
sudo playwright install msedge. Coverage gated on running that command (YK-271).Chromium remains the canonical CI gate (see
apps/demo/tests/chromium-virtual.spec.ts); the matrix table tracks when each driver-gap closes.
Snapshot
| Browser | Version | OS | Authenticator | Registration | Assertion | Low-S | Notes |
|---|---|---|---|---|---|---|---|
| chromium | 148.0.7778.96 | macOS (Darwin 25.4.0) | CDP virtual authenticator | ok | ok | canonical | apps/smoke + apps/demo Playwright gates green. apps/demo fixture-tx confirmed on-chain SUCCESS (YK-266). |
| safari | TBD | macOS | Touch ID | partial | partial | normalized | Apple Touch ID emits high-S sigs; SDK normalises client-side (YK-248). Automated coverage blocked on microsoft/playwright #26621 — maintainer verbatim: "This is not currently possible." Manually validated weekly (Monday, manual:safari-touchid-YYYY-MM-DD rows). Safaridriver fallback queued under YK-273. |
| safari | TBD | iOS | iCloud Keychain (Touch / Face ID) | partial | partial | normalized | iCloud Keychain syncs passkeys across the user's Apple devices. Same playwright #26621 blocker. Weekly manual run on the author's iPhone + monthly BrowserStack App Live (YK-297). |
| firefox | TBD | linux | geckodriver virtual authenticator (≥ 0.34.0) | partial | partial | canonical | Upstream warning, verbatim from mozilla/geckodriver CHANGES.md (0.34.0 / 0.35.0 / 0.36.0): "Since their introduction in geckodriver 0.34.0, several Virtual Authenticator endpoints have been reported as non-functional or behaving unexpectedly. We recommend avoiding the use of these commands until the known issues have been resolved." Tracking under YK-272. |
| firefox | TBD | Windows | Windows Hello (via Firefox dispatcher) | partial | partial | canonical | Firefox on Windows routes WebAuthn to Hello. ES256 ceremony works; CI driver path waits for geckodriver fix (see Firefox/Linux row). Manual real-device validation queued. |
| chrome | TBD | Windows | Windows Hello (TPM-backed) | partial | partial | canonical | Chrome on Windows binds passkeys to Hello. SDK requires ES256 (-7); Hello supports it. Pending YK-275 windows-latest + chromium CI run + author's Windows VM manual validation. |
| chrome | TBD | Android | Android StrongBox / Play Services FIDO | partial | partial | canonical | Android Chrome's GMS FIDO emits canonical low-S signatures and registers passkeys to the user's Google account by default. Coverage on first green BrowserStack run (YK-297). |
| edge | TBD | macOS | CDP virtual authenticator (Chromium fork) | partial | partial | canonical | Same CDP API as Chromium; coverage unblocks once sudo playwright install msedge lands. Tracking under YK-271. |
Status legend
ok— registration / assertion succeeded end-to-end in CI or a manual bench.partial— partial coverage: e.g. the underlying ceremony works on the real authenticator but the CI test driver cannot reach it (the Safari + Firefox rows above). Promoted tookwhen the gap is closed.fail— known failure (no row isfailatmatrix-v2026.05.19).
Adding rows
- Each CI job writes a partial JSON artifact under
docs/matrix/data.json.parts/{matrix-vYYYY.MM.DD}-{os}-{browser}.json(per YK-275). The aggregate step merges them and bumpsmatrixVersion. - Manual hardware-bench rows (YK-296 — YubiKey 5 NFC / YubiKey Bio) use
ciRunUrlof the formmanual:hw-bench-YYYY-MM-DDand are added out-of-band. - Quarterly snapshots (YK-299) tag the matrix as
matrix-vYYYY.Qnand ship inCHANGELOG.md.
The renderer for this page becomes dynamic when the VitePress docs site (YK-280 / PSK-049) lands; today the table above is a static markdown rendering of data.json's entries array — ajv enforces they stay in sync.