Passkeys
Generate registration options
POST https://api.authsignal.com/v1/client/user-authenticators/passkey/registration-options
Use this endpoint to generate options to register a new passkey.
The response can be passed to the underlying platform APIs (see examples for Web, iOS and Android).
API auth
Use bearer auth with a token returned from the Authsignal Server API.
Request
usernamestring | undefined
The username which uniquely identifies the user, e.g. email address. Will be inferred if not passed, based on existing user identifiers.
Response
challengeIdstring
The ID of the passkey challenge. Should be passed back to the complete the enrollment.
optionsobject
The options for public key credential creation, based on https://w3c.github.io/webauthn/#dictdef-publickeycredentialcreationoptionsjson.
Verify registration
POST https://api.authsignal.com/v1/client/user-authenticators/passkey
Use this endpoint to finish the process of registering a new passkey authenticator.
API auth
Use bearer auth with the same token that was used to generate registration options.
Request
challengeIdstring
The ID of the passkey challenge returned when generating registration options.
registrationCredentialobject
The registration credential object, based on https://w3c.github.io/webauthn/#dictdef-registrationresponsejson.
Response
isVerifiedboolean
True if the passkey challenge was valid and the device was enrolled successfully.
accessTokenstring | undefined
A new short-term token with scopes to manage authenticators (e.g. add secondary authenticators, remove authenticators, view or regenerate recovery codes). Only present if the challenge succeeded.
userAuthenticatorIdstring | undefined
The ID of the user's new authenticator which is associated with the passkey credential.
Generate authentication options
POST https://api.authsignal.com/v1/client/user-authenticators/passkey/authentication-options
Use this endpoint to generate options to authenticate with an existing passkey.
The response can be passed to the underlying platform APIs (see examples for Web, iOS and Android).
API auth
Option 1. If the user is already authenticated (i.e. for MFA or step-up auth)
Use bearer auth with a token returned from the Authsignal Server API.
Option 2. If the user is not already authenticated (i.e. for passwordless login or autofill)
Use basic auth with your Authsignal tenant ID as the username:
curl \
--url https://api.authsignal.com/v1/client/user-authenticators/passkey/authentication-options \
--request POST \
--user 6e7053be-9cca-4dab-8702-00c8116feb85:
Request
usernamestring | undefined
The username which uniquely identifies the user. Not required if initiating a challenge before the user is known, e.g. when initializing a text field for passkey autofill.
Response
challengeIdstring
The ID of the passkey challenge. Should be passed back to the complete the enrollment.
optionsobject
The options for public key credential authentication, including rpId and challenge.
Verify authentication
POST https://api.authsignal.com/v1/client/verify/passkey
Use this endpoint to finish the process of authenticating with an existing passkey authenticator.
API auth
Use the same approach that was used to generate authentication options.
Request
challengeIdstring
The ID of the passkey challenge returned when generating authentication options.
authenticationCredentialobject
The authentication credential object, based on https://w3c.github.io/webauthn/#dictdef-authenticationresponsejson.
Response
isVerifiedboolean
True if the passkey challenge was valid and the device was authenticated successfully.
accessTokenstring | undefined
A new short-term token with scopes to manage authenticators (e.g. add secondary authenticators, remove authenticators, view or regenerate recovery codes). Only present if the challenge succeeded.