The easiest way to retrieve the public key of a user during the webauthn workflow is by calling getPublicKey() of the response object returned during the credential creation process. To ensure you have access to this object, cast the response with the type AuthenticatorAttestationResponse, otherwise the method won’t be available. Bear in mind this interface is only available during creation of the Passkey and not during retrieval (e.g. get call) of the credential, where an assertation against the server data is being created.

Finally, bear in mind that when using this method, the public key is returned in DER format, and not in CBOR format as it’s being retrieved from the authenticatorData payload. You can import and manipulate this key (originally an ArrayBuffer) as a CryptoKey using the Web Cryptographi API crypto.subtle.importKey method passing the spki format as parameter.