Authentication

Passkey (WebAuthn)

4 min read·Updated Apr 29, 2026

Passkeys are the modern replacement for passwords — phishing-resistant by design, with no shared secret on Authaz's side. Users sign in with whatever authenticator their device offers: Touch ID, Face ID, Windows Hello, a YubiKey, or a synced passkey from iCloud Keychain / Google Password Manager / 1Password.

# Enable passkeys for an application
curl -X PUT https://your-app.authaz.io/api/v1/applications/{appId}/auth/passkey \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "enabled": true }'

The Passkey button appears on Universal Login automatically.

How it works#

WebAuthn is a public-key protocol. The user's authenticator generates a keypair scoped to your domain; the private key never leaves the device, and Authaz only ever sees the public key.

The flow has two phases:

Registration — first-time setup, after the user has signed in with another method (or during the verified-email signup flow):

1. Browser asks Authaz for registration options    (POST /auth/passkey-provider/register/start)
2. Authaz returns a challenge and the user's ID
3. Browser prompts the authenticator (Touch ID, etc.)
4. Authenticator returns an attestation
5. Browser sends it to Authaz                      (POST /auth/passkey-provider/register/complete)
6. Authaz verifies the attestation and stores the public key

Passkey (WebAuthn)

How it works#

Authenticator preferences#

Signing up with passkey#

Adding a passkey to an existing user#

Listing and removing passkeys#

Account recovery#

Why use passkeys#

When to keep passwords too#

Next steps#