/
Contact usSee pricingStart building
Node
​

    About Stytch

    Introduction
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Migrations
      Migration overview
      Migrating users statically
      Migrating users dynamically
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for users
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    Magic Links
    • Email Magic Links

      • Getting started with the API
        Getting started with the SDK
        Replacing your password reset flow
        Building an invite user flow
        Add magic links to an existing auth flow
        Adding PKCE to a Magic Link flow
        Magic Link redirect routing
    • Embeddable Magic Links

      • Getting started with the API
    MFA
      Overview
      Backend integration
      Frontend integration
    Mobile Biometrics
      Overview
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0
    OAuth
    • Identity providers

      • Overview
        Provider setup
      Getting started with the API (Google)
      Add Google One Tap via the SDK
      Email address behavior
      Adding PKCE to an OAuth flow
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers
    • Resources

      • Integrate with AI agents
        Integrate with MCP servers
        Integrate with CLI Apps
    Passcodes
      Getting started with the API
      Getting started with the SDK
    • Toll fraud

      • What is SMS toll fraud?
        How you can prevent toll fraud
      Unsupported countries
    Passkeys & WebAuthn
    • Passkeys

      • Passkeys overview
        Set up Passkeys with the frontend SDK
    • WebAuthn

      • Getting started with the API
        Getting started with the SDK
    Passwords
      Getting started with the API
      Getting started with the SDK
      Password strength policy
    • Email verification

      • Overview
        Email verification before password creation
        Email verification after password creation
    Sessions
      How to use sessions
      Backend integrations
      Frontend integrations
      Custom claims
      Custom claim templates
      Session tokens vs JWTs
      How to use Stytch JWTs
    TOTP
      Getting started with the API
      Getting started with the SDK
    Web3
      Getting started with the API
      Getting started with the SDK

    Authorization

    Implement RBAC with metadata

    3rd Party Integrations

    Planetscale
    Supabase
    Feathery
    Unit

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

Consumer Authentication

/

Guides

/

Authentication

/

Passkeys & WebAuthn

/

Passkeys

/

Passkeys overview

Passkeys overview

Passkeys are a biometrics-based, phishing-resistant, replacement for passwords. They were developed by the Fast Identity Online (FIDO), an alliance of cybersecurity experts dedicated to creating secure, frictionless authentication standards that eliminate the world's over-reliance on passwords.

What are Passkeys exactly

Passkeys are FIDO credentials that utilize local biometric verifications like FaceID or TouchID to generate asymmetric public-private keys for authentication. The public key is registered and stored with the application, or relying party, the end user is authenticating into. The private key is stored on the device, or client, that was used for biometric verification.

Passkeys diagram

During authentication, the client signs a message with its private key pair, which is protected by some local privileged verification like FaceID, TouchID, PIN, or swipe pattern. The message's signature is then verified by the relying party's server using the public key obtained during the registration.

Due to its cryptographic nature, Passkeys have a strong security posture. Not only is the private key never exposed, but they are also scoped to a single relying party. End users must create a Passkey per website.

Passkeys are multi-device

Passkeys are stored in primarily two ways:

  1. A passkey can be device-bound to a mobile device, computer, or an external device like a Yubikey.
  2. A passkey can be synced in the cloud by a provider and easily accessible from any connected device.

With cloud support from platforms like Apple, Google, and Microsoft, and credential managers like 1Password, Passkeys can be synced and made available across multiple devices, operating systems, and browsers just like other cloud-synced features like a user’s photos, contacts, emails, and documents.

In cases where a passkey is device-bound, users can still authenticate across multiple devices by utilizing a "hybrid protocol" or "hybrid transport", which can involve scanning a QR code with a mobile device and transmitting a one-time Passkey in close proximity via Bluetooth or connecting with a YubiKey via NFC or Bluetooth.

Passkeys and WebAuthn

The two technologies are inherently related.

Passkeys are built on top of the WebAuthn standard, a web specification that defines the use of strong, attested, scoped, public key credentials by web applications. The term Passkeys refers to the multi-device usage of FIDO credentials, rather than the restricting of the private key to a single device.

In other words, Passkeys are multi-device credentials created by the WebAuthn standard.

Stytch Passkeys

Stytch enables developers to implement Passkeys while conveniently using the same WebAuthn endpoints. By integrating atop the WebAuthn API, developers have full flexibility and control when creating FIDO credentials.

Set the return_passkey_credential_options field to true when calling the Start WebAuthn Registration endpoint or Start WebAuthn Authentication endpoint.

curl --request POST \
  --url https://test.stytch.com/v1/webauthn/register/start \
  -u 'PROJECT_ID:SECRET' \
  -H 'Content-Type: application/json' \
  -d '{
    "user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
    "domain": "example.com",
    "return_passkey_credential_options": true
  }'

What's next

Check out our SDK guide to start building Passkeys into your application.

What are Passkeys exactly

Passkeys are multi-device

Passkeys and WebAuthn

Stytch Passkeys

What's next