/
Contact usSee pricingStart building
    Overview
    Installation
    Changelog

    Pre-built UI

    StytchLogin
      UI Configuration
      UI Callbacks
      Text Customization
      Component Playground
    StytchPasswordReset
    StytchPasskeyRegistration
    IdentityProvider
      UI Configuration
      UI Callbacks

    Headless

    Users
      Get user
      Update user
      Delete authentication factors
    Email Magic Links
      Send
      Login or create
      Authenticate
    OAuth
      Start
      Google One Tap
      Authenticate
    Passwords
      Create
      Authenticate
      Reset by Email Start
      Reset by Email
      Reset by Existing Password
      Reset by Session
      Strength Check
    One-Time Passcodes (OTP)
      Login or create via SMS
      Send via SMS
      Login or create via Email
      Send via Email
      Login or create via WhatsApp
      Send via WhatsApp
      Authenticate
    Time-Based One-Time Passcodes (TOTP)
      Create
      Authenticate
      Get Recovery Codes
      Recover
    Session Management
      Get Session
      Authenticate Session
      Revoke Session
      Update Session
      Get Tokens
      Attest Session
      Exchange Access Token
    Passkeys & WebAuthn
      Register
      Authenticate
      Update
      Browser supports autofill
    Crypto Wallets
      Authenticate
      Authenticate Start
    Impersonation
      Authenticate
    RBAC
      Is Authorized
      Permissions
    Connected Apps
      Get Connected Apps
      Revoke Connected App
      Start OAuth Authorization
      Submit OAuth Authorization

    More Resources

    Cookies & session management
    SWR & caching
    TypeScript
    User privacy measures
    Multi-factor authentication
    Next.js
    CAPTCHA
Get support on SlackVisit our developer forum

Contact us

Consumer Authentication

/

Frontend SDKs

/

Headless

/

Passkeys & WebAuthn

/

Authenticate

Authenticate

Wraps Stytch's authenticate_start and authenticate WebAuthn endpoints and the navigator.credentials web API. Call this method to prompt the user to enroll a new WebAuthn factor and save the factor in Stytch.

Call webauthn.authenticate inside an event callback triggered by a user gesture.

You can listen for successful user updates anywhere in the codebase with the stytch.user.onChange() method or useStytchUser() hook if you are using React.

Method parameters

domain string

The domain for Passkeys or WebAuthn. Defaults to window.location.hostname.

is_passkey boolean

If true, the WebAuthn flow will be optimized for Passkeys by altering the public_key_credential_creation_options used.

session_duration_minutes int

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

If the session_duration_minutes parameter is not specified, a Stytch session will not be created.

signal object

An optional AbortSignal to allow aborting the Passkey or WebAuthn authentication process.

conditional_mediation boolean

Whether to use conditional mediation (autofill) in the authentication flow.

Response fields

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

session object

If you initiate a Session, by including session_duration_minutes in your authenticate call, you'll receive a full Session object in the response.

See Session object for complete response fields.

session_id string

A unique identifier for a specific Session.

user_id string

The unique ID of the affected User.

authentication_factors array[objects]

An array of different authentication factors that comprise a Session.

started_at string

The timestamp when the Session was created. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_accessed_at string

The timestamp when the Session was last accessed. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

expires_at string

The timestamp when the Session expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

attributes object

Provided attributes help with fraud detection.

ip_address string

The IP address of the user.

user_agent string

The user agent of the User.

custom_claims map<string, any>

The custom claims map for a Session. Claims can be added to a session during a Sessions authenticate call.

session_jwt string

The JSON Web Token (JWT) for a given Stytch Session.

session_token string

A secret token for a given Stytch Session.

user object

The user object affected by this API call. See the Get user endpoint for complete response field details.

user_id string

The unique ID of the affected User.

status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

name object

The name of the User. Each field in the name object is optional.

first_name string

The first name of the user.

middle_name string

The middle name(s) of the user.

last_name string

The last name of the user.

trusted_metadata object

The trusted_metadata field contains an arbitrary JSON object of application-specific data. See the Metadata reference for complete field behavior details.

untrusted_metadata object

The untrusted_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and cannot be used to store critical information. See the Metadata reference for complete field behavior details.

emails array[objects]

An array of email objects for the User.

email_id string

The unique ID of a specific email address.

email string

The email address.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

phone_numbers array[objects]

An array of phone number objects linked to the User.

phone_id string

The unique ID for the phone number.

phone_number string

The phone number.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

providers array[objects]

An array of OAuth provider objects linked to the User.

oauth_user_registration_id string

The unique ID for an OAuth registration.

provider_subject string

The unique identifier for the User within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols.

provider_type string

Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc.

profile_picture_url string

If available, the profile_picture_url is a url of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Facebook profile picture.

locale string

If available, the locale is the User's locale set in the OAuth identity provider that the user has authenticated with.

webauthn_registrations array[objects]

An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API.

webauthn_registration_id string

The unique ID for the Passkey or WebAuthn registration.

domain string

The domain on which Passkey or WebAuthn registration was started. This will be the domain of your app.

user_agent string

The user agent of the User.

authenticator_type string

The authenticator_type string displays the requested authenticator type of the Passkey or WebAuthn device. The two valid types are "platform" and "cross-platform". If no value is present, the Passkey or WebAuthn device was created without an authenticator type preference.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

name string

The name of the Passkey or WebAuthn registration.

biometric_registrations array[objects]

An array that contains a list of all biometric registrations for a given User in the Stytch API.

biometric_registration_id string

The unique ID for a biometric registration.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

totps array[objects]

An array containing a list of all TOTP instances for a given User in the Stytch API.

totp_id string

The unique ID for a TOTP instance.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

crypto_wallets array[objects]

An array contains a list of all crypto wallets for a given User in the Stytch API.

crypto_wallet_id string

The unique ID for a crypto wallet

crypto_wallet_address string

The actual blockchain address of the User's crypto wallet.

crypto_wallet_type string

The blockchain that the User's crypto wallet operates on, e.g. Ethereum, Solana, etc.

verified boolean

The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.

password object

The password object is returned for users with a password.

password_id string

The unique ID of a specific password

requires_reset boolean

Indicates whether this password requires a password reset

roles array[strings]

Roles assigned to this User. See the RBAC guide for more information about role assignment.

created_at string

The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

status string

The status of the User. The possible values are pending and active.

user_id string

The unique ID of the affected User.

webauthn_registration_id string

The unique ID for the Passkey or WebAuthn registration.

user_device object

If Protected Auth is enabled and returned fingerprinting results, the user_device response field will contain information about the user's device attributes.

ip_address string

The IP address of the user's device.

ip_address_details object

Information about the ip_address.

is_new boolean

Whether this ip_address has been seen before for this user.

first_seen_at string

When this ip_address was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_seen_at string

When this ip_address was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

ip_geo_country string

The country code where the IP address is located.

ip_geo_country_details object

Information about the ip_geo_country.

is_new boolean

Whether this ip_geo_country has been seen before for this user.

first_seen_at string

When this ip_geo_country was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_seen_at string

When this ip_geo_country was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

ip_geo_city string

The city where the IP address is located.

ip_geo_region string

The region where the IP address is located.

import React, { useCallback } from 'react';
import { useStytch } from '@stytch/react';

export const Login = () => {
  const stytch = useStytch();

  const trigger = useCallback(() => {
    stytch.webauthn.authenticate({
      session_duration_minutes: 60,
    });
  }, [stytch]);

  return <button onClick={trigger}>Authenticate WebAuthn Registration</button>;
};
RESPONSE 200
200
​
{
  "status_code": 200,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "session": null
  "session_jwt": "",
  "session_token": "",
  "user": {...},
  "user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
  "webauthn_registration_id": "webauthn-registration-test-5c44cc6a-8af7-48d6-8da7-ea821342f5a6",
}
RESPONSE 400
200
​
{
  "status_code": 400,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "invalid_public_key_credential",
  "error_message": "Invalid public key credential. Please confirm you're passing a correctly formatted public key credential.",
  "error_url": "https://stytch.com/docs/api/errors/400"
}
RESPONSE 401
200
​
{
  "status_code": 401,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "unable_to_auth_webauthn_registration",
  "error_message": "WebAuthn registration could not be authenticated.",
  "error_url": "https://stytch.com/docs/api/errors/401"
}
RESPONSE 429
200
​
{
  "status_code": 429,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "too_many_requests",
  "error_message": "Too many requests have been made.",
  "error_url": "https://stytch.com/docs/api/errors/429"
}
RESPONSE 500
200
​
{
  "status_code": 500,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "internal_server_error",
  "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
  "error_url": "https://stytch.com/docs/api/errors/500"
}