Authenticate a passkey

Passkeys, and the underlying Web Authentication API are very flexible. There are several authentication flows. We'll adopt a simple, yet effective strategy: You'll prompt the user to select a passkey, then use it to authenticate.

Prerequisites

We assume you've already followed the steps in the passkey registration tutorial and registered a passkey. We'll also assume you have your Tenancy ID, Client ID and API Key to hand.

Create a Passlock instance

We'll use the Passlock class again:

import { Passlock, PasslockError } from '@passlock/client'

const passlock = new Passlock({ tenancyId, clientId })

Authenticate the user

You'll need to trigger the authentication request in a click handler or similar user initiated event. Browser's don't allow unsolicited authentication requests.

const result = await passlock.authenticatePasskey({ userVerification: 'discouraged' })

if (PasslockError.isError(result)) {
  ...
} else { 
  ...
}

Backend processing

Exactly same as the backend registration processing. Exchange the token for the UserPrincipal:

curl -s -H "Authorization: Bearer $API_KEY" "https://api.passlock.dev/$TENANCY/token/$TOKEN" | jq

output
{
  "token": "2arafoq-8coasjl-qx4jz3x",
  "sub": "khXCYCxcGwJTLoaG6kVxB",
  "email": "jdoe@gmail.com",
  "givenName": "John",
  "familyName": "Doe",
  "emailVerified": false,
  "authType": "passkey",
  "userVerified": false,
}

Once you've obtained the Principal from Passlock, you can use the sub to lookup the user in your database.

tip

Don't use the Passlock token as a session key, use it for the initial authentication only. Use your own framework specific mechanism to manage sessions.

Prerequisites​

Create a Passlock instance​

Authenticate the user​

Backend processing​

Prerequisites

Create a Passlock instance

Authenticate the user

Backend processing