Passkey Documentation
Passkeys are cryptographic credentials that replace passwords with biometric authentication (fingerprint, face scan) or device PINs. PropelAuth BYO’s Passkey APIs handle the complex WebAuthn protocol for you, letting you add passwordless authentication, MFA, or both to your application.
Basic Usage
Section titled “Basic Usage”Passkeys work in two phases: registration (saving a user’s passkey) and authentication (validating that passkey later).
Registration
Section titled “Registration”First, your backend generates registration options. Then your frontend uses a WebAuthn library like @simplewebauthn/browser to prompt the user to create a passkey. Finally, you send the result back to your backend to save the passkey.
// Backend: Begin the registration process for a specific userconst registrationOptions = await auth.passkeys.startRegistration({...});# Backend: Begin the registration process for a specific userregistration_options = await client.passkeys.start_registration(...)// Frontend: Create the passkey on the user's deviceconst credential = await startRegistration({ optionsJSON: registrationOptions,});// Backend: Finish the registrationconst result = await auth.passkeys.finishRegistration({...});# Backend: Finish the registrationresult = await client.passkeys.finish_registration(...)Authentication
Section titled “Authentication”To authenticate, your backend sends passkey authentication options to the frontend. The user validates their passkey on their device, generating a signature. Your backend then verifies this signature to complete the authentication.
// Backend: Begin the validation process for a specific userconst authenticationOptions = await auth.passkeys.startAuthentication({...});# Backend: Begin the validation process for a specific userauthentication_options = await client.passkeys.start_authentication(...)// Frontend: Sign the challenge with the user's passkeyconst credential = await startAuthentication({ optionsJSON: authenticationOptions,});// Backend: Finish the validationconst result = await auth.passkeys.finishAuthentication({...});# Backend: Finish the validationresult = await client.passkeys.finish_authentication(...)See the complete tutorial for step-by-step implementation details.
Configuring Passkey Settings
Section titled “Configuring Passkey Settings”The passkey_config.jsonc file controls passkey behavior, including limits and security settings.
{ // Hostname for the WebAuthn relying party // Examples: "example.com", "localhost:3000", "app.example.com" "hostname": "example.com",
// Maximum number of passkeys allowed per user (default: 5, max: 10) "max_passkeys_per_user": 5}Supporting Multiple Passkeys
Section titled “Supporting Multiple Passkeys”Users can register multiple passkeys (e.g., one on their phone, another on their laptop). Set the limit with max_passkeys_per_user in your config file.
During authentication, PropelAuth BYO automatically sends all the user’s registered passkey identifiers to the frontend. The WebAuthn library handles letting the user choose which passkey to use.
Managing Passkeys
Section titled “Managing Passkeys”Users may need to remove old passkeys when they get new devices or lose access to existing ones.
Programmatically:
- Deregister Passkey - Remove a specific passkey
- Deregister All Passkeys For User - Remove all passkeys for a user
Via Dashboard: You can also manage passkeys directly in the PropelAuth BYO Dashboard:
