Principal
Following a successful passkey registration or authentication operation, your frontend code will receive a code and id_token (JWT). Exchanging the code or verifying the id_token will result in a Principal:
export interface Principal { _tag: "Principal"; id: string; userId: string; authenticatorId: string; authenticatorType: "passkey"; passkey?: { verified: boolean; userVerified: boolean; }; createdAt: number; expiresAt: number;}Properties
Section titled “Properties”| Property | Description |
|---|---|
| _tag | Discriminator, always Principal |
| id | Generated every time a Principal is created. Equivalent to the JWT jti property |
| userId | Immutable application user ID associated with the passkey. This is supplied by your backend before the browser creates the passkey. See linking accounts |
| authenticatorId | Unique identifier i.e. the Passlock passkey ID. Store this for passkey management, deletion, audit logs and duplicate-prevention queries |
| authenticatorType | Currently hardcoded as “passkey”, but in the future this will be extended to support additional authenticator types e.g. Apple and Google sign-in |
| passkey.verified | Should always be true |
| passkey.userVerified | Whether the device re-authenticated the user locally |
| createdAt | Timestamp, milliseconds since epoch |
| expiresAt | Timestamp, milliseconds since epoch. Derived from the JWT exp property |
Extended principal
Section titled “Extended principal”When exchanging a code Passlock will return an ExtendedPrincipal which includes additional properties:
| Property | Description |
|---|---|
| _tag | Discriminator, always ExtendedPrincipal |
| metadata | Request metadata captured during the registration or authentication operation |
| passkey.platformName | The platform/ecosystem used to create the passkey e.g. Apple iCloud |
| metadata.ipAddress | IP address of the client using the passkey |
| metadata.userAgent | Client user agent |