Passkey Authentication
WebAuthn passkey registration and authentication.
ποΈ Check Passkey and SSO Availability
Return whether the given email address has a registered passkey and whether its tenant has SSO enabled. Always responds 200 with a minimum-latency timing pad so user enumeration is not possible; rate-limited to 10 requests per minute.
ποΈ Begin Passkey Registration
Generate WebAuthn registration options for the authenticated user and store the challenge server-side for five minutes. Responds 403 when the tenant uses SSO and 409 when a passkey is already registered for the account.
ποΈ Complete Passkey Registration
Verify the authenticator's registration response against the stored challenge and persist the new credential for the authenticated user. Responds 400 when verification fails or the challenge has expired, and 409 for a duplicate credential.
ποΈ Begin Passkey Authentication
Generate WebAuthn authentication options for discoverable credentials. The optional email in the body is resolved server-side only; the challenge and its owner are kept in Redis and never returned to the client. Rate-limited to 10 requests per minute.
ποΈ Complete Passkey Authentication
Verify the authenticator assertion against the stored credential and challenge, then return a JWT access token. Responds 400 when the challenge is missing or expired and 401 on any verification, replay, or ownership failure.
ποΈ Remove the Current User's Passkey
Delete the registered passkey of the authenticated user. Responds 404 when no passkey is registered and 409 when removal would lock the user out because no password is set.
ποΈ Retrieve the Current User's Passkey Metadata
Return registration metadata for the authenticated user's passkey β display name, creation date, AAGUID, and device type β along with whether the tenant has SSO enabled. Responds with registered=false when no passkey exists.
ποΈ Update the Current User's Passkey Display Name
Rename the passkey shown in the UI for the authenticated user. Responds 404 when no passkey is registered for the account.