Passkeys
Passkeys using Authsignal's pre-built UI
Implement passkeys instantly with pre-built UI components
We recommend only enrolling passkeys after users have already enrolled with another authentication
factor (like email OTP, SMS, TOTP, etc.).
If you want to integrate passkeys directly into an existing login page or a native mobile app, then using Authsignal Client SDKs is likely the better option.
Set up a custom domain
If you’re using Authsignal’s pre-built UI with passkeys, you’ll need to set up a custom domain. This means that your users’ passkeys will be bound to your own domain rather thanmfa.authsignal.com.
Configure passkeys in the Authsignal Portal
- Navigate to the Authenticators section and click Set up Passkey.
- Add the Relying Party ID in the next step. It’s the domain where your app is hosted (e.g.
example.com). Then click Activate passkeys.
As you already have a custom domain setup in the first step, the Relying Party ID value will
default to your top-level domain. For example, if your custom domain is
auth.example.com then your Relying Party will default to example.com.If you modify your Relying Party ID you may invalidate your existing users’ passkeys. You
should only edit your Relying Party ID before releasing passkey functionality to production, or
when testing with a separate Authsignal tenant associated with a non-production environment.
- Set the expected origins on the next screen.
Configuring expected origins in the Authsignal Portal
Local development
When using the pre-built UI you don’t need to includelocalhost in your passkey configuration even when your app is running on localhost, because all passkey interactions happen on your custom domain.
This makes local development easy because you can use the same configuration for both local and production.
Uplifting users to passkeys
To encourage your users to start using passkeys, we recommend using the pre-built UI’s built in passkey uplift prompt.