Introduction

In this tutorial you'll learn how to add passkey registration and authentication to your web application. As Passlock is framework agnostic we'll concentrate on passkeys and the Passlock library. We assume you have a reasonable understanding of web development and your chosen tech stack.

warning

When developing and testing locally, please be aware that browsers will only present passkeys over https, with the exception of localhost, which can also run over http. If you want to test your code using a smartphone, something like ngrok or pinggy is a great option.

How Passlock works

We've taken the complexity associated with the underlying WebAuthn API, and hidden it behind a simple, framework agnostic Javscript client client library and RESTful API. Conceptually, usage is similar to OAuth2/OIDC (but simpler): the Passlock client library handles authentication, generating a secure token. You send this token to your backend, from where you exchange it for a Principal containing the authentication details.

JWT verification

As an alternative to step 3, we also offer JWT verification (not covered in this tutorial) which eliminates the network roundtrip at the expense of some additional complexity:

How Passlock works​

JWT verification​

How Passlock works

JWT verification