Passkeys and Client SDKs
Learn how to use Authsignal’s Client SDKs to integrate passkeys to your web or mobile app with your own custom UI.
Authsignal Client SDKs for passkeys allow you to embed passkey functionality directly into your web or mobile app, enhancing an existing login page or step-up authentication flow.
Using Authsignal's mobile SDKs to implement passkeys natively
Configuration
Web
Authsignal’s Web SDK lets you use passkeys on your own domain - so you don’t need to setup a custom domain.
You just need enable Passkey as an authenticator in the Authsignal Portal and set the Relying Party ID to the domain where your app is hosted (e.g. example.com).
Defining the Relying Party corresponding to your domain
You will also need to set the expected origins for any subdomains where you want to use passkeys.
Configuring expected origins in the Authsignal Portal
Mobile
Using passkeys on native mobile apps requires setting up an associated domain. You can find more detailed information on this in our SDK guides:
You then need to set your Relying Party ID to match your app’s associated domain.
If you’re using Android, you will also need to add an expected origin value for your APK hash.
Setting an expected origin value for your APK hash
One way to obtain your app’s APK hash is to run a signing report.
Creating a passkey
1. Backend - Track an action
In your app’s backend, track an action using one of our Server SDKs or with a REST call to our Server API.
When tracking an action to enroll an authenticator, the scope
add:authenticators must be explicitly specified if the user is already
enrolled
with at least one authentication method (e.g. passkey). In such cases you
should ensure users are strongly authenticated with one of their existing
methods before they can enroll an additional authenticator.
2. Frontend - Use a client SDK
In your app’s frontend, call the signUp function in one of our Client SDKs, passing the token returned in step 1.
Authenticating with an existing passkey
1. Frontend - Use a client SDK
In your app’s frontend, call the signIn function in one of our Client SDKs:
2. Backend - Validate the result
Pass the token returned by the client SDK in step 1 to your backend, validating the result of the enrollment server-side.
On iOS, if the user has no passkeys available on their device, calling
signIn will display a QR code. To avoid this UX you can instead use
autofill to only show the existing passkeys that are
available.
Using autofill (Web and iOS only)
This requires you to have an input field on your web page or app screen for the identifier (e.g. email address) which is used to login. When the input field is focused, the user will be able to select an existing passkey if one is available on their device.
1. Frontend - Use a client SDK
In your app’s frontend, call the signIn function in one of our Client SDKs and set the autofill param to true.
If the user focuses the input field and successfully activates their passkey, the Authsignal client SDK will resolve with a token.
On Android you can achieve a similar UX by
showing an input field and calling signIn() when the field is focused.
2. Backend - Validate the result
Send the token returned by the client SDK to your backend and validate the result of the sign-in attempt server-side.
Next steps
Was this page helpful?