We highly recommend using our Web SDK or Mobile SDKs as the quickest and simplest way to start implementing passkeys in your app.

However, if you prefer to avoid using SDKs and integrate only using REST APIs, then the documentation below outlines the Client API’s passkey endpoints and their authentication model.

Creating a passkey

The following endpoints should be called in sequence when creating a passkey.

  1. Generate Passkey Registration Options
  2. Verify Passkey Registration

These endpoints must be authenticated using bearer auth with a token.

Using a passkey

For MFA

When using passkeys as a secondary factor, i.e. in a context where the user has already been authenticated with a primary factor, you should use the following endpoints in sequence.

  1. Generate Passkey Authentication Options
  2. Verify Passkey Authentication

These endpoints should be authenticated using bearer auth with a token.

For sign-in

When using passkeys as the primary factor for sign-in, you should use the following endpoints.

  1. Initiate Challenge
  2. Generate Passkey Authentication Options
  3. Verify Passkey Authentication

These endpoints should be authenticated using basic auth with your tenant ID as the username and an empty password value.

curl https://api.authsignal.com/v1/client/user-authenticators/passkey/authentication-options \
  -X POST \
  -H "Content-Type: application/json" \
  -u "YOUR_TENANT_ID:"
Make sure to include the : after your tenant ID to set an empty password value.

This authentication model allows the passkey endpoints to be called when signing in from an unauthenticated context. Typically in this flow you would present the passkey prompt based on whatever credentials are available on the device, then use the result of the Verify Passkey Authentication call to lookup the user account corresponding to the passkey credential which was used.

For more information on how to optimize your sign-in UX with passkeys, refer to our guides on implementing best practice UX for web and mobile.