feat: add Passkey APIs to Authentication API reference#1373
Open
tomauth0 wants to merge 4 commits into
Open
Conversation
Add the missing main/docs/api/authentication/passkey/register.mdx that should have been part of the previous commit, and remove main/docs/authenticate/login/embedded-login/use-cases/enrollment.mdx, which was committed by mistake and is out of scope for this PR. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
# Conflicts: # main/config/navigation/generated/authentication.en.json
Remove the manually-edited authentication.en.json from this PR. The Passkey API pages are added as content-only; navigation will be handled separately through the OAS-generated nav pipeline. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
avanscoy
reviewed
Jun 11, 2026
| @@ -0,0 +1,79 @@ | |||
| --- | |||
| title: "Start a Passkey Challenge" | |||
| description: "Request a passkey challenge so a user can authenticate to your native or web application using a previously registered passkey." | |||
Contributor
There was a problem hiding this comment.
Suggested change
| description: "Request a passkey challenge so a user can authenticate to your native or web application using a previously registered passkey." | |
| description: "Request a passkey challenge for users to authenticate to your Native or Web application using an existing, registered passkey." |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| `POST /passkey/challenge` | ||
|
|
||
| Request a passkey challenge so a user can authenticate to your native or web application using a previously registered passkey. The endpoint returns the WebAuthn parameters your client uses to invoke the platform authenticator, along with an `auth_session` value that you exchange for tokens at `/oauth/token` using the passkey grant. |
Contributor
There was a problem hiding this comment.
Suggested change
| Request a passkey challenge so a user can authenticate to your native or web application using a previously registered passkey. The endpoint returns the WebAuthn parameters your client uses to invoke the platform authenticator, along with an `auth_session` value that you exchange for tokens at `/oauth/token` using the passkey grant. | |
| Request a passkey challenge so a user can authenticate to your Native or Web application using a previously registered passkey. The endpoint returns the WebAuthn parameters your application uses to invoke the platform authenticator, and an `auth_session` value you exchange for tokens at `/oauth/token` using the passkey grant. |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| Request a passkey challenge so a user can authenticate to your native or web application using a previously registered passkey. The endpoint returns the WebAuthn parameters your client uses to invoke the platform authenticator, along with an `auth_session` value that you exchange for tokens at `/oauth/token` using the passkey grant. | ||
|
|
||
| This endpoint backs the Passkey APIs for native and web applications and is used in combination with the Auth0 [token exchange for passkey](https://auth0.com/docs/authenticate/database-connections/passkeys) grant type. |
Contributor
There was a problem hiding this comment.
Suggested change
| This endpoint backs the Passkey APIs for native and web applications and is used in combination with the Auth0 [token exchange for passkey](https://auth0.com/docs/authenticate/database-connections/passkeys) grant type. | |
| This endpoint backs the Passkey APIs for Native and Web applications. Use this endpoint in combination with the Auth0 [token exchange for passkey](https://auth0.com/docs/authenticate/database-connections/passkeys) grant type. |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| This endpoint backs the Passkey APIs for native and web applications and is used in combination with the Auth0 [token exchange for passkey](https://auth0.com/docs/authenticate/database-connections/passkeys) grant type. | ||
|
|
||
| ### Remarks |
Contributor
There was a problem hiding this comment.
Suggested change
| ### Remarks | |
| ## Remarks |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| ### Remarks | ||
|
|
||
| - The application's grant types must include `urn:okta:params:oauth:grant-type:webauthn`. |
Contributor
There was a problem hiding this comment.
Suggested change
| - The application's grant types must include `urn:okta:params:oauth:grant-type:webauthn`. | |
| - The application's [grant types](/docs/get-started/applications/application-settings#grant-types) must include: `urn:okta:params:oauth:grant-type:webauthn`. |
avanscoy
reviewed
Jun 11, 2026
| - The application must be OIDC conformant. | ||
| - The request must be made against a [custom domain](https://auth0.com/docs/customize/custom-domains) configured for your tenant. Calls to the default Auth0 domain (`{tenant}.auth0.com`) are rejected. | ||
|
|
||
| ### Learn More |
Contributor
There was a problem hiding this comment.
The Learn more section should be at the end of the article starting on line 81 to be consistent with the rest of Docs.
avanscoy
reviewed
Jun 11, 2026
| </ParamField> | ||
|
|
||
| <ParamField body="realm" type="string"> | ||
| Name of the database connection to authenticate against. If omitted, the tenant's default database connection for the application is used. |
Contributor
There was a problem hiding this comment.
Suggested change
| Name of the database connection to authenticate against. If omitted, the tenant's default database connection for the application is used. | |
| Name of the database connection to authenticate against. If omitted, Auth0 uses your tenant's default database connection for the application. |
avanscoy
reviewed
Jun 11, 2026
| </ParamField> | ||
|
|
||
| <ParamField body="organization" type="string"> | ||
| ID of the [organization](https://auth0.com/docs/manage-users/organizations) the user is signing in to. Required when the application's `organization_usage` is set to `require`. |
Contributor
There was a problem hiding this comment.
Suggested change
| ID of the [organization](https://auth0.com/docs/manage-users/organizations) the user is signing in to. Required when the application's `organization_usage` is set to `require`. | |
| ID of the [Auth0 Organization](https://auth0.com/docs/manage-users/organizations) to which the user is signing in. Required when the application's `organization_usage` is set to `require`. |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| ## Response | ||
|
|
||
| A successful response contains the WebAuthn parameters your client passes to the platform authenticator and an `auth_session` value that ties the subsequent assertion to this challenge. |
Contributor
There was a problem hiding this comment.
Suggested change
| A successful response contains the WebAuthn parameters your client passes to the platform authenticator and an `auth_session` value that ties the subsequent assertion to this challenge. | |
| A successful response contains the WebAuthn parameters your application passes to the platform authenticator and an `auth_session` value that ties the subsequent assertion to this challenge. |
avanscoy
reviewed
Jun 11, 2026
| </ResponseField> | ||
|
|
||
| <ResponseField name="rpId" type="string"> | ||
| Relying Party identifier. Defaults to the tenant custom domain. When the tenant has a custom Relying Party identifier configured, that value is returned instead. |
Contributor
There was a problem hiding this comment.
Suggested change
| Relying Party identifier. Defaults to the tenant custom domain. When the tenant has a custom Relying Party identifier configured, that value is returned instead. | |
| [Relying party identifier(RP ID)](/docs/authenticate/database-connections/passkeys#relying-party-id-for-passkeys). Defaults to the tenant custom domain. When the tenant has a custom relying party identifier configured, Auth0 returns the `rp.id` value instead. |
avanscoy
reviewed
Jun 11, 2026
| @@ -0,0 +1,163 @@ | |||
| --- | |||
| title: "Register a New User With a Passkey" | |||
| description: "Initiate passkey registration for a new user during sign up. Returns the WebAuthn creation parameters and an auth_session used to complete enrollment." | |||
Contributor
There was a problem hiding this comment.
Suggested change
| description: "Initiate passkey registration for a new user during sign up. Returns the WebAuthn creation parameters and an auth_session used to complete enrollment." | |
| description: "Initiate passkey registration for a new user during sign up. Returns the WebAuthn creation parameters and the `auth_session` users need to complete enrollment." |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| `POST /passkey/register` | ||
|
|
||
| Initiate passkey registration for a new user during sign up. The endpoint creates a passkey enrollment session, validates the supplied user profile against the database connection's signup attributes, and returns the WebAuthn creation parameters your client passes to the platform authenticator. After the authenticator returns an attestation, you complete enrollment by exchanging the assertion at `/oauth/token` using the passkey grant. |
Contributor
There was a problem hiding this comment.
Suggested change
| Initiate passkey registration for a new user during sign up. The endpoint creates a passkey enrollment session, validates the supplied user profile against the database connection's signup attributes, and returns the WebAuthn creation parameters your client passes to the platform authenticator. After the authenticator returns an attestation, you complete enrollment by exchanging the assertion at `/oauth/token` using the passkey grant. | |
| Initiate passkey registration for a new user during sign up. The endpoint creates a passkey enrollment session, validates the supplied user profile against the database connection's signup attributes, and returns the WebAuthn creation parameters your application passes to the platform authenticator. After the authenticator returns an attestation, you complete enrollment by exchanging the assertion at `/oauth/token` using the passkey grant. |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| Initiate passkey registration for a new user during sign up. The endpoint creates a passkey enrollment session, validates the supplied user profile against the database connection's signup attributes, and returns the WebAuthn creation parameters your client passes to the platform authenticator. After the authenticator returns an attestation, you complete enrollment by exchanging the assertion at `/oauth/token` using the passkey grant. | ||
|
|
||
| ### Remarks |
Contributor
There was a problem hiding this comment.
Suggested change
| ### Remarks | |
| ## Remarks |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| ### Remarks | ||
|
|
||
| - The application's grant types must include `urn:okta:params:oauth:grant-type:webauthn`. |
Contributor
There was a problem hiding this comment.
Suggested change
| - The application's grant types must include `urn:okta:params:oauth:grant-type:webauthn`. | |
| - The application's [grant types](/docs/get-started/applications/application-settings#grant-types) must include: `urn:okta:params:oauth:grant-type:webauthn`. |
avanscoy
reviewed
Jun 11, 2026
| - `user_profile` must contain every identifier marked `required` for signup on the connection (commonly `email`, `phone_number`, or `username`). Additional identifiers may be `optional`. | ||
| - A user is identified as already-existing through any of the configured identifiers; if any submitted identifier resolves to an existing user, the request fails with `invalid_request`. | ||
|
|
||
| ### Learn More |
Contributor
There was a problem hiding this comment.
Move line 19-23 to the end of the article to be consisten with Docs
avanscoy
reviewed
Jun 11, 2026
| </ParamField> | ||
|
|
||
| <ParamField body="realm" type="string"> | ||
| Name of the database connection the user is signing up against. If omitted, the tenant's default database connection for the application is used. |
Contributor
There was a problem hiding this comment.
Suggested change
| Name of the database connection the user is signing up against. If omitted, the tenant's default database connection for the application is used. | |
| Name of the database connection the user is signing up against. If omitted, Auth0 uses your tenant's default database connection for the application. |
avanscoy
reviewed
Jun 11, 2026
| </ParamField> | ||
|
|
||
| <ParamField body="organization" type="string"> | ||
| ID of the [organization](https://auth0.com/docs/manage-users/organizations) the user is signing up into. Required when the application's `organization_usage` is set to `require`. |
Contributor
There was a problem hiding this comment.
Suggested change
| ID of the [organization](https://auth0.com/docs/manage-users/organizations) the user is signing up into. Required when the application's `organization_usage` is set to `require`. | |
| ID of the [Auth0 Organization](https://auth0.com/docs/manage-users/organizations) to which the user is signing in. Required when the application's `organization_usage` is set to `require`. |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| <Expandable title="properties"> | ||
| <ParamField body="email" type="string"> | ||
| User's email address. Validated against the JSON Schema email format. |
Contributor
There was a problem hiding this comment.
Suggested change
| User's email address. Validated against the JSON Schema email format. | |
| User's email address. Validated against the `JSON` schema email format. |
avanscoy
reviewed
Jun 11, 2026
| </ParamField> | ||
|
|
||
| <ParamField body="phone_number" type="string"> | ||
| User's phone number in E.164 format (1–30 characters, international `+` prefix). |
avanscoy
reviewed
Jun 11, 2026
| </ParamField> | ||
|
|
||
| <ParamField body="username" type="string"> | ||
| User's username. Validated against the connection's username policy (length and allowed characters). |
Contributor
There was a problem hiding this comment.
Suggested change
| User's username. Validated against the connection's username policy (length and allowed characters). | |
| User's username. Validates against the connection's username policy (length and allowed characters). |
avanscoy
reviewed
Jun 11, 2026
| </ResponseField> | ||
|
|
||
| <ResponseField name="rp" type="object"> | ||
| Relying Party identity. |
Contributor
There was a problem hiding this comment.
Suggested change
| Relying Party identity. | |
| Relying party identity. |
avanscoy
reviewed
Jun 11, 2026
|
|
||
| <Expandable title="properties"> | ||
| <ResponseField name="id" type="string"> | ||
| Relying Party identifier. Defaults to the tenant custom domain or the configured custom Relying Party identifier. |
Contributor
There was a problem hiding this comment.
Suggested change
| Relying Party identifier. Defaults to the tenant custom domain or the configured custom Relying Party identifier. | |
| Relying party identifier (RP ID). Defaults to the tenant custom domain or the configured custom Relying party identifier. |
avanscoy
reviewed
Jun 11, 2026
| </ResponseField> | ||
|
|
||
| <ResponseField name="name" type="string"> | ||
| Relying Party display name. Returned identical to `rp.id`. |
Contributor
There was a problem hiding this comment.
Suggested change
| Relying Party display name. Returned identical to `rp.id`. | |
| Relying party display name. Returned identical to `rp.id`. |
avanscoy
reviewed
Jun 11, 2026
| </ResponseField> | ||
|
|
||
| <ResponseField name="user" type="object"> | ||
| WebAuthn user handle to bind the new credential to. |
Contributor
There was a problem hiding this comment.
Suggested change
| WebAuthn user handle to bind the new credential to. | |
| WebAuthn user handle to which you bind the new credential. |
avanscoy
reviewed
Jun 11, 2026
| </ResponseField> | ||
|
|
||
| <ResponseField name="pubKeyCredParams" type="array"> | ||
| Allowed credential public-key algorithms in preference order. Auth0 returns EdDSA (`-8`), ES256 (`-7`), and RS256 (`-257`). |
Contributor
There was a problem hiding this comment.
Suggested change
| Allowed credential public-key algorithms in preference order. Auth0 returns EdDSA (`-8`), ES256 (`-7`), and RS256 (`-257`). | |
| Allowed credential [public-key algorithms](/docs/get-started/applications/signing-algorithms) in preference order. Auth0 returns EdDSA (`-8`), ES256 (`-7`), and RS256 (`-257`). |
avanscoy
reviewed
Jun 11, 2026
| | 400 | Invalid request. Common causes include missing required `user_profile` identifiers, an invalid `user_profile` field, an invalid `user_metadata` field, the user already exists, the application is not configured for passkey authentication, the request was not made against a custom domain, or the application is third-party. | | ||
| | 401 | Unauthorized. Invalid client credentials. | | ||
| | 404 | The Passkey APIs are not enabled for the tenant. | | ||
| | 429 | Too many requests. Per-IP rate limit exceeded. | |
Contributor
There was a problem hiding this comment.
Suggested change
| | 429 | Too many requests. Per-IP rate limit exceeded. | | |
| | 429 | Too many requests. Per-IP rate limit exceeded. | | |
| ## Learn more | |
| - [Passkeys APIs](https://auth0.com/docs/authenticate/database-connections/passkeys/native-passkeys-api) | |
| - [Configure Passkey Policy](https://auth0.com/docs/authenticate/database-connections/passkeys/configure-passkey-policy) | |
| - [Custom Domains](https://auth0.com/docs/customize/custom-domains) |
avanscoy
reviewed
Jun 11, 2026
| | 400 | Invalid request. Common causes include missing or invalid parameters, the application is not configured for passkey authentication, the request was not made against a custom domain, or the application is third-party. | | ||
| | 401 | Unauthorized. Invalid client credentials. | | ||
| | 404 | The Passkey APIs are not enabled for the tenant. | | ||
| | 429 | Too many requests. Per-IP rate limit exceeded. | |
Contributor
There was a problem hiding this comment.
Suggested change
| | 429 | Too many requests. Per-IP rate limit exceeded. | | |
| | 429 | Too many requests. Per-IP rate limit exceeded. | | |
| ## Learn more | |
| - [Passkeys APIs](https://auth0.com/docs/authenticate/database-connections/passkeys/native-passkeys-api) | |
| - [Configure Passkey Policy](https://auth0.com/docs/authenticate/database-connections/passkeys/configure-passkey-policy) | |
| - [Custom Domains](https://auth0.com/docs/customize/custom-domains) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds reference documentation for the new Passkey APIs (
POST /passkey/challengeand
POST /passkey/register) under the Authentication API, in support of theEmbedded Capabilities GA relaunch (Passkey APIs going GA — covers native iOS,
native Android, and web).
What's in this PR:
main/docs/api/authentication/passkey/challenge.mdx— documentsPOST /passkey/challenge. Covers the request body (client_id,client_secret,realm,organization), prerequisites (custom domain,first-party + OIDC-conformant client, passkey grant enabled), and the
WebAuthn
PublicKeyCredentialRequestOptionsreturned inauthn_params_public_keyalongside theauth_sessionvalue used in thesubsequent token exchange.
main/docs/api/authentication/passkey/register.mdx— documentsPOST /passkey/register. Coversuser_profilesignup attributes andvalidation rules,
user_metadataconstraints (max 10 fields, reservedfield-name blocklist), and the WebAuthn
PublicKeyCredentialCreationOptionsreturned (
rp,user,pubKeyCredParams,authenticatorSelection).main/config/navigation/generated/authentication.en.json— adds a new"Passkeys" group between "Passwordless" and "Device Authorization" that
links to both new pages.
Testing
mint devfrommain/and confirm:"Passwordless" and "Device Authorization".
/passkey/challengeand/passkey/registerpages render withparameter, response field, and status code tables.
resolve.
Checklist
CONTRIBUTING.md.