We highly recommend using our Web SDK or Mobile SDKs as the quickest and simplest way to start implementing passkeys in your app.However, if you prefer to avoid using SDKs and integrate only using REST APIs, then the documentation below outlines the Client API’s passkey endpoints and their authentication model.
When using passkeys as a secondary factor, i.e. in a context where the user has already been authenticated with a primary factor, you should use the following endpoints in sequence.
Make sure to include the : after your tenant ID to set an empty password value.
This authentication model allows the passkey endpoints to be called when signing in from an unauthenticated context.
Typically in this flow you would present the passkey prompt based on whatever credentials are available on the device, then use the result of the Verify Passkey Authentication call to lookup the user account corresponding to the passkey credential which was used.For more information on how to optimize your sign-in UX with passkeys, refer to our guides on implementing best practice UX for web and mobile.