W3C Web CryptoW3CShould KnowProduct

Web Cryptography API

Browser Platform·World Wide Web Consortium

WHY YOU NEED THIS

The correct way to do crypto in the browser — no npm packages needed. Required for client-side encryption, token signing, secure key storage, and WebAuthn integration. Also available in Node.js and Deno.

What It Defines

Browser-native cryptographic operations: key generation, import/export, encryption (AES-GCM, AES-CBC, RSA-OAEP), signing (HMAC, RSASSA-PKCS1, ECDSA), hashing (SHA-256/384/512), and key derivation (PBKDF2, HKDF). Uses the SubtleCrypto interface.

Canonical (Normative)

W3C Web Cryptography API

Convenient (Practical)

MDN SubtleCrypto

cryptoencryptionsigninghashingbrowsersecurity

Standards Body

World Wide Web Consortium

Publishes web platform specs including CSS, accessibility, security policies, Service Workers, Web App Manifest, and many browser APIs. Also maintains some versioned HTML/DOM specs.

Visit

Related Specs

RFC 8446RFCMust Know

TLS 1.3

Every HTTPS connection, SMTP/IMAP over TLS, OAuth token exchange, and API call uses TLS. It is the foundational security layer.

Back OfficeProductTransport Security

Details

RFC 7519RFCMust Know

JWT

JWTs are the token format for OIDC ID tokens and many OAuth implementations. Understanding the structure and security tradeoffs is essential.

ProductAuthentication & Authorization

Details

W3C WebAuthn L3W3CShould Know

WebAuthn

Passkeys are the modern replacement for passwords. WebAuthn is the browser API. Every new auth system should evaluate it for primary or MFA flow.

Back OfficeProductAuthentication & Authorization

Details