diff --git a/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift b/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift
index 0eed662..0bd428a 100644
--- a/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift
+++ b/Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift
@@ -21,8 +21,17 @@ import Foundation
 public struct PublicKeyCredentialRequestOptions: Sendable {
     /// A challenge that the authenticator signs, along with other data, when producing an authentication assertion.
     ///
-    /// When encoding using `Encodable` this is encoded as base64url.
-    public var challenge: [UInt8]
+    /// The Relying Party should store the challenge temporarily until the authentication flow is complete. When encoding using `Encodable` this is encoded as base64url.
+    ///
+    /// - SeeAlso: See ``unsafeSetChallenge(_:)`` for updating the challenge.
+    public private(set) var challenge: [UInt8]
+
+    /// Unsafely change the challenge that will be delivered to the client.
+    ///
+    /// - Warning: Although the challenge can be changed, doing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol.
+    public mutating func unsafeSetChallenge(_ newValue: [UInt8]) {
+        challenge = newValue
+    }
 
     /// A time, in seconds, that the caller is willing to wait for the call to complete. This is treated as a
     /// hint, and may be overridden by the client.
diff --git a/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift b/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
index 7a37164..539afcc 100644
--- a/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
+++ b/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
@@ -25,7 +25,16 @@ public struct PublicKeyCredentialCreationOptions: Sendable {
     ///
     /// The Relying Party should store the challenge temporarily until the registration flow is complete. When
     /// encoding using `Encodable`, the challenge is base64url encoded.
-    public let challenge: [UInt8]
+    ///
+    /// - SeeAlso: See ``unsafeSetChallenge(_:)`` for updating the challenge.
+    public private(set) var challenge: [UInt8]
+    
+    /// Unsafely change the challenge that will be delivered to the client.
+    ///
+    /// - Warning: Although the challenge can be changed, doing so is not recommended and can lead to an insecure implementation of the WebAuthn protocol.
+    public mutating func unsafeSetChallenge(_ newValue: [UInt8]) {
+        challenge = newValue
+    }
 
     /// Contains names and an identifier for the user account performing the registration.
     public var user: PublicKeyCredentialUserEntity