It can all be implemented within the web application, there's no need for delegation to a "FIDO server". It's also not a direct communication between the server and the token, it's the browser or operating system that handles the CTAP communication to the token (such as filtering what 'RP ID' and other information is presented to the token, versus it just blindly passing through anything from the server), while the communication to the web application is a JSON-based format.

Within the web application, you're just generating a challenge, verifying a cryptographic signature (ECDSA key, SHA-256 hash, if I remember correctly) against a public key stored with the account, and keeping track of the signature count.