Passkeys are the modern replacement for passwords — phishing-resistant by design, with no shared secret on Authaz's side. Users sign in with whatever authenticator their device offers: Touch ID, Face ID, Windows Hello, a YubiKey, or a synced passkey from iCloud Keychain / Google Password Manager / 1Password.
Use it in your app. Once enabled, Passkey appears as a sign-in option on Authaz Sign-In automatically — your app code doesn't change. The standard sign-in flow (Next.js · React · Hono · cURL) routes the user through whichever method they pick.
# Enable passkeys for an applicationcurl -X PUT https://your-app.authaz.io/api/v1/applications/{appId}/auth/passkey \ -H "X-API-Key: $AUTHAZ_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "enabled": true }'
The Passkey button appears on Authaz Sign-In automatically.
WebAuthn is a public-key protocol. The user's authenticator generates a keypair scoped to your domain; the private key never leaves the device, and Authaz only ever sees the public key.
The flow has two phases:
Registration — first-time setup, after the user has signed in with another method (or during the verified-email signup flow):
1. Browser asks Authaz for registration options (POST /auth/passkey-provider/register/start)
2. Authaz returns a challenge and the user's ID
3. Browser prompts the authenticator (Touch ID, etc.)
4. Authenticator returns an attestation
5. Browser sends it to Authaz (POST /auth/passkey-provider/register/complete)
6. Authaz verifies the attestation and stores the public key
Authentication — every subsequent sign-in:
1. Browser asks Authaz for assertion options (POST /auth/passkey-provider/login/start)
2. Authaz returns a challenge
3. Browser prompts the authenticator
4. Authenticator returns a signed assertion
5. Browser sends it to Authaz (POST /auth/passkey-provider/login/complete)
6. Authaz verifies the signature, creates a session
Authaz Sign-In does all of this for you. You only need to call these endpoints directly if you're building a custom login UI.
By default Authaz accepts any platform or roaming authenticator:
Platform — built into the device (Touch ID, Face ID, Windows Hello, Android biometrics).
Roaming — external (YubiKey, Solo Key, phone-as-passkey via QR).
User verification is required (the user must present a biometric or PIN), and resident keys (a.k.a. discoverable credentials, syncable passkeys) are required so users don't need to type a username first.
These defaults match what RP guidance from FIDO Alliance recommends and what Apple, Google, Microsoft now ship by default.
Email-verified signup (recommended) — user proves they control the email before registering a passkey:
1. User enters email
2. Authaz sends a verification code
3. User enters the code
4. User registers a passkey on the spot
Endpoints:
POST /auth/passkey-provider/signup/verify-email/request
POST /auth/passkey-provider/signup/verify-email/confirm
POST /auth/passkey-provider/signup/start
POST /auth/passkey-provider/signup/complete
Direct signup — passkey first, email is captured but unverified. Useful for invite-only contexts where you've already validated the email out of band:
POST /auth/passkey-provider/signup/start
POST /auth/passkey-provider/signup/complete
# List the current user's passkeyscurl https://your-app.authaz.io/api/v1/users/me/passkeys \ -H "Authorization: Bearer USER_ACCESS_TOKEN"# Remove onecurl -X DELETE https://your-app.authaz.io/auth/passkey-provider/passkeys/{passkeyId} \ -H "Authorization: Bearer USER_ACCESS_TOKEN"
Each entry includes name (best-effort, derived from the authenticator), createdAt, lastUsedAt, and the AAGUID — useful for surfacing "Touch ID on iPhone" vs. "YubiKey 5C" in your settings page.
Passkeys can't be reset over email — the private key is tied to a device. Build a recovery path that doesn't depend on the passkey itself:
Recovery codes. Generate at registration time, ask the user to print or store them. Burn one code to register a new passkey.
Secondary factor. If the user also has a password or MFA enrolled, those let them re-add a passkey from a new device.
Operator-assisted reset. Verified support staff can wipe a user's passkeys via DELETE /api/v1/users/{userId}/passkeys — pair with a real identity-verification step.
Authaz doesn't pick a recovery story for you because the right answer depends on your risk tolerance.
