Learn how to implement passkeys

Passkey authentication is different to what most developers are used to:

Server & client changes required
Two backend API calls per login / creation
In between: local client authentication

WebAuthn Registration Ceremony

How does passkey creation work?

Passkey creation can occur either during the registration of a new user account or when an authenticated creates a passkey for their existing account within the profile settings. This process is initiated by the client, e.g. via "Create a passkey" button, and unfolds in three steps:

  1. The client (web application in browser or a native app), requests a random challenge from the server.
  2. The client uses the WebAuthn API by calling credentials.create(challenge), which generates a key pair (private / public) on the device (authenticator). The private key signs the challenge and is securely stored on the device within the hardware security module (HSM) like a TPM or secure enclave. The function returns the public key, credential ID, and signed challenge, with user verification via biometrics or PIN.
  3. To complete passkey creation, the client sends the public key, credential ID, and signed challenge to the server. The server verifies the signed challenge and links the public key and credential ID to the user for future authentication.
WebAuthn Registration Flow

WebAuthn Authentication Ceremony

How does passkey login work?

Unlike passwords, passkeys stay on the user's device and generate a unique cryptographic signature for sign-in demonstrating to the server that it was generated with the correct passkey. The user starts passkey authentication on the client side.

  1. The client requests a random challenge from the server.
  2. Using the WebAuthn API by calling credentials.get(challenge), the client prompts user verification via biometrics or PIN, then uses the stored passkey to sign the challenge. The function returns the signed challenge, username, and credential ID associated with the passkey.
  3. To complete the passkey authentication, the client sends the signed challenge, the username, and the credential ID back to the server. The server then verifies if the username and credential ID are recognized, and if so, retrieves the public key to validate the signed challenge. If the signed challenge can be successfully verified with the public key, the server can confidently confirm that the user possessed the correct passkey and proceed to establish a session or issue an authorization token.
WebAuthn Authentication Flow

Passkeys Are Based on the WebAuthn Standard

What are the technical concepts behind passkeys?

Read in-depth articles about important passkey concepts.

Relying Party ID

The Relying Party ID binds passkeys to a domain.

View Details

Conditional UI (Passkey Autofill)

Conditional UI displays available passkeys to the user without requiring a username.

View Details

Discoverable Credentials

Discoverable credentials (resident keys) can be displayed with Conditional UI.

View Details

Cross-Device Auth (CDA)

Cross-Device Authentication means using a passkey from another device.

View Details

Autocomplete

Conditional UI requires an autocomplete token on the respective input fields.

View Details

Native App Passkeys

Using passkeys on a native app requires some specific settings.

View Details

Implementation Guides For Many Frameworks

How can I implement passkeys in my framework?

Read our implementation guides for various frameworks and programming languages.

React iconVue iconAngular iconNextjs iconNuxtjs iconSvelte iconJS iconBun iconNodejs iconLaravel iconSymfony icon.NET iconSpring boot iconFlask iconfastapi icondjango iconrubyonrails icongo iconkaycloak passkeysnextauth iconsupabase iconcognito iconvercel iconflutter icon

Passkeys are Based on the WebAuthn Standard

Get more developer guidance

Read in-depth articles about important passkey concepts.

SDKs

Find a collection of the best passkey SDKs available.

View Details

Tutorials

Find a collection of the best passkey tutorials available.

View Details

WebAuthn Servers

Find the most common WebAuthn server libraries.

View Details

Cheat Sheet

Get a passkeys cheat sheet with the most common passkey features.

View Details

Misconceptions

Read about passkey misconceptions and unknown unknowns for developers.

View Details

Glossary

Understand technical terms and concepts around passkeys / WebAuthn.

View Details

Corbado offers Passkeys-as-a-Service

How to integrate passkeys?

Corbado helps you transition your users to passkeys risk-free within <1 hour. Provide the best passwordless login experience now.

authentication sample