Skip to main content

Passkeys

Generate registration options

POST https://api.authsignal.com/v1/client/user-authenticators/passkey/registration-options

Use this endpoint to generate options to register a new passkey.

The response can be passed to the underlying platform APIs (see examples for Web, iOS and Android).

API auth

Use bearer auth with a token returned from the Authsignal Server API.

Request

  • usernamestring | undefined

    The username which uniquely identifies the user, e.g. email address. Will be inferred if not passed, based on existing user identifiers.

Response

  • challengeIdstring

    The ID of the passkey challenge. Should be passed back to the complete the enrollment.

  • optionsobject

    The options for public key credential creation, based on https://w3c.github.io/webauthn/#dictdef-publickeycredentialcreationoptionsjson.

Verify registration

POST https://api.authsignal.com/v1/client/user-authenticators/passkey

Use this endpoint to finish the process of registering a new passkey authenticator.

API auth

Use bearer auth with the same token that was used to generate registration options.

Request

  • challengeIdstring

    The ID of the passkey challenge returned when generating registration options.

  • registrationCredentialobject

    The registration credential object, based on https://w3c.github.io/webauthn/#dictdef-registrationresponsejson.

Response

  • isVerifiedboolean

    True if the passkey challenge was valid and the device was enrolled successfully.

  • accessTokenstring | undefined

    A new short-term token with scopes to manage authenticators (e.g. add secondary authenticators, remove authenticators, view or regenerate recovery codes). Only present if the challenge succeeded.

  • userAuthenticatorIdstring | undefined

    The ID of the user's new authenticator which is associated with the passkey credential.

Generate authentication options

POST https://api.authsignal.com/v1/client/user-authenticators/passkey/authentication-options

Use this endpoint to generate options to authenticate with an existing passkey.

The response can be passed to the underlying platform APIs (see examples for Web, iOS and Android).

API auth

Option 1. If the user is already authenticated (i.e. for MFA or step-up auth)

Use bearer auth with a token returned from the Authsignal Server API.

Option 2. If the user is not already authenticated (i.e. for passwordless login or autofill)

Use basic auth with your Authsignal tenant ID as the username:

curl \
  --url https://api.authsignal.com/v1/client/user-authenticators/passkey/authentication-options \
  --request POST \
  --user 6e7053be-9cca-4dab-8702-00c8116feb85:

Request

  • usernamestring | undefined

    The username which uniquely identifies the user. Not required if initiating a challenge before the user is known, e.g. when initializing a text field for passkey autofill.

Response

  • challengeIdstring

    The ID of the passkey challenge. Should be passed back to the complete the enrollment.

  • optionsobject

    The options for public key credential authentication, including rpId and challenge.

Verify authentication

POST https://api.authsignal.com/v1/client/verify/passkey

Use this endpoint to finish the process of authenticating with an existing passkey authenticator.

API auth

Use the same approach that was used to generate authentication options.

Request

  • challengeIdstring

    The ID of the passkey challenge returned when generating authentication options.

  • authenticationCredentialobject

    The authentication credential object, based on https://w3c.github.io/webauthn/#dictdef-authenticationresponsejson.

Response

  • isVerifiedboolean

    True if the passkey challenge was valid and the device was authenticated successfully.

  • accessTokenstring | undefined

    A new short-term token with scopes to manage authenticators (e.g. add secondary authenticators, remove authenticators, view or regenerate recovery codes). Only present if the challenge succeeded.