Skip to main content

Create Passkey Over Authorized Session

This flow applies to scenarios such as:

  • Post sign-up/onboarding completion. Passkeys are created after successful onboarding, ensuring users meet verification requirements, reinforcing security right from the start.

  • Users in a pre-authenticated session. This ensures users are authenticated or pre-approved by your server before registering, preventing unauthorized access and ensuring only legitimate users can create a passkey.

To protect the passkey creation process, ensure you have an authorized session by using API keys to request authorization tokens, which are passed to LoginID client SDKs.

This flow applies when your LoginID application is classified as a protected application, meaning that Registration Requires Authentication Token is enabled in your application settings.

Registration is Protected Setting

When this setting is enabled, users must be authenticated or pre-authorized. This ensures that only verified users can create accounts and generate passkeys, requiring a valid authorization token during the registration process.

Overview Diagram

This high-level sequence diagram outlines the process:

  1. Finalized user onboarding or pre-authenticated session.
  2. Your backend requests an authorization token from LoginID by calling POST /fido2/v2/mgmt/grant authorized with your API key with the scope reg:write.
  3. The token is passed to the LoginID client SDK to execute client.createPasskey(username, token).
  4. The token authorizes the creation of the passkey with LoginID.
Sequence Diagram - Creating Passkey with Protected Application

Here is an example of how it might look like:

Displaying Add Passkey Option After Onboarding User
1. Complete User Onboarding
Using MacOS WebAuthn Prompt After User Onboarding for Passkey Creation
2. Create Passkey

Prerequisites

  • Create an application to obtain a base URL. The SDK uses this base URL to interact with the LoginID authentication service.
  • Create an API key with at least the reg:write scope. You’ll need this to request authorization tokens from your backend.
  • Make sure your application's register APIs are secure.

Setup SDK

npm i @loginid/websdk3

Import and initialize an instance:

import { LoginIDWebSDK } from "@loginid/websdk3";

const lid = new LoginIDWebSDK({
  baseUrl: process.env.LOGINID_BASE_URL,
});

Create Passkey

After obtaining the authorization token from your backend, pass it to the LoginID client SDK. The user creates a passkey, and the response includes a LoginID token.

tip

If you run into issues, be sure to check the Troubleshooting section. Since implementing passkey creation is often one of the first steps in integration, reviewing common issues early can help you resolve problems faster.

import { useAuth } from "../../contexts/AuthContext";
import { LoginIDWebSDK } from "@loginid/websdk3";

const lid = new LoginIDWebSDK({
  baseUrl: process.env.REACT_APP_LOGINID_BASE_URL,
});

const Register: React.FC = () => {
  const [username, setUsername] = useState<string>("");
  const [error, setError] = useState<string>("");
  const { setAuthUser } = useAuth();

  const handleRegister = async (e: React.FormEvent) => {
    e.preventDefault();

    try {
      // Get the authorization token from your backend after a successful onboarding
      // or pre-authenticated session

      // User creates a passkey
      const { token } = await lid.createPasskey(username, authzToken);

      // You can return LoginID token to your backend for verification

      setAuthUser(user);
    } catch (e) {
      if (e instanceof Error) {
        setError(e.message);
      }
    }
  };
};

Once you have received the result LoginID token, you can send it to your backend, and verify it. For detailed technical instructions, refer to this section on verifying LoginID tokens.