The FIDO Alliance recently published the Credential Exchange Format (CXF) — the first standard way to move passkeys, passwords, and TOTP secrets between credential managers. Apple ships it in iOS 26, Bitwarden was the first third-party manager to support it, and until now, exporting your vault meant a plaintext CSV. CXF is genuinely important infrastructure.
There was no TypeScript implementation. So I built one: cxf-kit — data models, parser, serializer, conformance validator, and a CLI, built against the Proposed Standard of 2025-08-14 with the spec's CDDL grammar vendored as the single source of truth, and interop-tested against Bitwarden's Rust implementation.
Implementing a spec line-by-line is the deepest way to read it. Here's what I found.
1. The spec's own example contradicts its own grammar. Appendix A's passkey carries fido2Extensions.hmacSecret with an "HS256" algorithm — a structure and value that appear nowhere in the CDDL, which defines hmacCredentials with hmac-sha256. Real exporters copy examples, so my validator treats this shape as a warning rather than an error: a validator that fails the spec's own example would be useless against real-world exports.
2. The example breaks the spec's formatting rules twice more. It uses "CA" where subdivision-code requires the ISO 3166-2 form US-CA, and "WPA2" where the wifi enum says wpa2-personal.







