Skip to main content

Create Passkey Over Authorized Session

This flow applies to scenarios such as:

  • Post sign-up/onboarding completion. Passkeys are created after successful onboarding, ensuring users meet verification requirements, reinforcing security right from the start.

  • Users in a pre-authenticated session. This ensures users are authenticated or pre-approved by your server before registering, preventing unauthorized access and ensuring only legitimate users can create a passkey.

To protect the passkey creation process, ensure you have an authorized session by using API keys to request authorization tokens, which are passed to LoginID client SDKs.

This flow applies when your LoginID application is classified as a protected application, meaning that Registration Requires Authentication Token is enabled in your application settings.

Registration is Protected Setting

When this setting is enabled, users must be authenticated or pre-authorized. This ensures that only verified users can create accounts and generate passkeys, requiring a valid authorization token during the registration process.

Overview Diagram

This high-level sequence diagram outlines the process:

  1. Finalized user onboarding or pre-authenticated session.
  2. Your backend requests an authorization token from LoginID by calling POST /fido2/v2/mgmt/grant authorized with your API key with the scope passkey:write.
  3. The token is passed to the LoginID client SDK to execute client.createPasskey(username, token).
  4. The token authorizes the creation of the passkey with LoginID.
Sequence Diagram - Creating Passkey with Protected Application

Here is an example of how it might look like:

Prerequisites

  • Create an application to obtain a base URL
  • Create an API key with at least passkey:read, passkey:write, and reg:write scopes
  • Make sure your application's register APIs are secure

Setup SDK

npm i @loginid/websdk3

Import and initialize an instance:

import { LoginIDWebSDK } from "@loginid/websdk3";

const lid = new LoginIDWebSDK({
baseUrl: process.env.LOGINID_BASE_URL,
});

Create Passkey

After obtaining the authorization token from your backend, pass it to the LoginID client SDK. The user creates a passkey, and the response includes a LoginID token.

import { useAuth } from "../../contexts/AuthContext";
import { LoginIDWebSDK } from "@loginid/websdk3";

const lid = new LoginIDWebSDK({
baseUrl: process.env.REACT_APP_LOGINID_BASE_URL,
});

const Register: React.FC = () => {
const [username, setUsername] = useState<string>("");
const [error, setError] = useState<string>("");
const { setAuthUser } = useAuth();

const handleRegister = async (e: React.FormEvent) => {
e.preventDefault();

try {
// Get the authorization token from your backend after a successful onboarding
// or pre-authenticated session

// User creates a passkey
const { token } = await lid.createPasskey(username, authzToken);

// You can return LoginID token to your backend for verification

setAuthUser(user);
} catch (e) {
if (e instanceof Error) {
setError(e.message);
}
}
};
};

Once you have received the result LoginID token, you can send it to your backend, and verify it. For detailed technical instructions, refer to this section on verifying LoginID tokens.