- Signup: Creates a new user account with a passkey as the primary authentication method.
- Enrollment: Adds a passkey as an authentication method to an existing user’s account.
- Login: Challenges an existing user to authenticate using a passkey associated with their account.
Signup Flow
Request Signup Challenge
POST /passkey/register
Initiates the passkey signup flow for a new user.
In response, Auth0 returns PublicKeyCredentialCreationOptions and a session ID. Check timeout under authn_params_public_key in response for session timeout.
The passkey signup flow supports Organizations through the organization parameter, following the behavior described in Login Flows for Organizations. If your application is configured for Business Users, you must provide the organization parameter and a valid Organization name or identifier value. After the user registers a passkey, Auth0 enrolls them in the provided Organization.
Request Parameters
Code Samples
Request
Response
Remarks
- After the challenge request is complete, your application can continue the user registration process using native Android or iOS APIs.
- You must then authenticate the new user using information retrieved through the native APIs to complete the flow.
Authenticate New User
Native Passkey registration is not currently supported when SMS/Email OTP verification is required on the same connection during signup.
POST /oauth/token
Uses the to authenticate the user with the provided credentials to create their account and return the requested tokens.
The authn_response parameter is based on the Web Authentication API specification. In the native passkey flow, the information passed to this endpoint can be retrieved through your mobile application’s native APIs:
Request Parameters
Code Samples
Request
Response
Enrollment Flow
Enrolling a new passkey for a user involves a two-step process using the My Account API. This flow ensures that the passkey enrollment is initiated securely and then verified. Before initiating the enrollment flow, ensure you have an with thecreate:me:authentication_methods scope for the /me endpoint.
Initiate Passkey Enrollment
POST /me/v1/authentication-methods
The first step is to initiate the enrollment process. This is done by making a POST request to the /me/v1/authentication-methods endpoint.
Request Parameters
Code Samples
Request
Response
Remarks
- The
auth_sessionproperty in the response body is the identifier of the current authentication session. This must be passed to the/verifyendpoint. - After the challenge request is complete, your application can continue the user enrollment process using native Android or iOS APIs. This will prompt the user to create a passkey with their authenticator (such as fingerprint scanner, security key, or phone).
Verify Passkey Enrollment
POST /me/v1/authentication-methods/passkey|new/verify
The ID in the path is always
passkey|new for new enrollments.AuthenticatorAttestationResponse from the WebAuthn API. This response needs to be sent back to the Auth0 service to complete and verify the enrollment.
Request Parameters
Code Samples
Request
Remarks
Once this step is completed successfully, the passkey is enrolled for the user and can be used for future authentications.Login Flow
Request Login Challenge
POST /passkey/challenge
Initiates the passkey login flow for an existing user who saved a passkey to their account during their initial signup.
In response, Auth0 returns PublicKeyCredentialRequestOptions, a session ID, and a Relying Party identifier rpId. Check timeout under authn_params_public_key in response for session timeout. The rpId returned in the response is the identifier the native device (iOS/Android) uses to look up saved credentials bound to a domain. For a passkey created on a web application (e.g., example.com) to be available in the native flow, the rpId returned must match the web’s rpId. To learn how to customize the RP ID for your tenant, read Configure Passkey Policy.
The passkey login flow supports Organizations through the organization parameter, following the behavior described in Login Flows for Organizations. If your application is configured for Business Users, you must provide the organization parameter and a valid Organization name or identifier value.
All issued tokens are in the context of the provided Organization. If you enabled Auto-Membership for your Organization, the user is automatically enrolled in the Organization after successfully authenticating.
Request Parameters
Code Samples
Request
Response
Remarks
- After the challenge request is complete, your application can continue the login process using native Android or iOS APIs.
- You must then authenticate the existing user using information retrieved through the native APIs to complete the flow.
Authenticate Existing User
POST /oauth/token
Uses the Token endpoint to authenticate the user with the provided credentials and return the requested tokens.
The authn_response parameter is based on the Web Authentication API specification. In the native passkey flow, the information passed to this endpoint can be retrieved through your mobile application’s native APIs: