Summary and next steps

Passkeys don’t have to be intimidating. Passlock abstracts passkey registration and authentication into a simple flow. You use the client library to obtain a code which you send to your backend. Your backend then uses the code to obtain the passkey details.

Local JWT verification

The examples in this quickstart guide use the code exchange flow. Whether you use the server library, or make the call directly, ultimately you’re making a network call to verify the passkey.

An alternative to code exchange is local id_token verification:

backend/login.ts

import { verifyIdToken, isPrincipal } from '@passlock/node/pricipal';

const tenancyId = "myTenancyId";

const result = await verifyIdToken(idToken, { tenancyId });

if (isPrincipal(result)) {
  console.log(result);
} else {
  console.error(result.message);
}

Note

Please be aware that the first time this function is called, it will make a network request to fetch the Passlock public key from our JWKS endpoint

Biometric verification

How can you be sure it was the device owner that presented the passkey, not a casual attacker with access to the device? Passkeys include a concept known as user verification which allows the device to re-authenticate the user locally (typically through FaceID / TouchID) before presenting the passkey. Please see the user verification guide.

Usage scenarios

Passkeys can be used as a primary authentication mechanism (replacing passwords), as an alternative login mechanism, or as a secondary authentication factor. Please see the usage scenarios guide