List Passkeys
View all registered passkeys for your account.
Endpoint
/auth/admin/webauthn/credentialsList all WebAuthn credentials (passkeys) registered for the authenticated admin.
Headers
| Parameter | Type | Required | Description |
|---|---|---|---|
Authorization | string | Yes | Bearer {access_token} |
Response- List of passkeys
{
"credentials": [
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"label": "MacBook Pro Touch ID",
"transports": [
"internal"
],
"sign_count": 42,
"last_used_at": "2025-01-14T10:30:00Z",
"created_at": "2025-01-01T00:00:00Z"
},
{
"id": "660e8400-e29b-41d4-a716-446655440001",
"label": "YubiKey 5",
"transports": [
"usb",
"nfc"
],
"sign_count": 15,
"last_used_at": "2025-01-10T08:00:00Z",
"created_at": "2025-01-05T00:00:00Z"
}
]
}Register Passkey
Register a new passkey for passwordless authentication.
Endpoint
/auth/admin/webauthn/credentialsRegister a new WebAuthn credential after completing browser-side registration ceremony.
Headers
| Parameter | Type | Required | Description |
|---|---|---|---|
Authorization | string | Yes | Bearer {access_token} |
Content-Type | string | Yes | application/json |
Request Body- WebAuthn registration data from browser
{
"credential_id": "base64_encoded_credential_id",
"public_key": "base64_encoded_public_key",
"sign_count": 0,
"label": "My MacBook Touch ID",
"transports": [
"internal"
]
}Response- Registered credential
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"label": "My MacBook Touch ID",
"transports": [
"internal"
],
"sign_count": 0,
"created_at": "2025-01-14T10:30:00Z"
}Error Responses
| Status | Code | Description |
|---|---|---|
| 400 | validation_failed | Invalid base64 encoding or missing required fields |
| 429 | rate_limit_exceeded | Rate limit: 10/min, 100/day |
Request Body Parameters
| Field | Type | Required | Description |
|---|---|---|---|
| credential_id | string | Yes | Base64-encoded credential ID from WebAuthn |
| public_key | string | Yes | Base64-encoded public key |
| sign_count | integer | Yes | Initial signature counter (usually 0) |
| label | string | No | Human-readable label for the passkey |
| transports | array | No | Transport methods: usb, nfc, ble, internal |
Verify Registration
Verify a WebAuthn credential registration.
Endpoint
/auth/admin/webauthn/verifyVerify WebAuthn credential registration by performing an assertion.
Headers
| Parameter | Type | Required | Description |
|---|---|---|---|
Authorization | string | Yes | Bearer {access_token} |
Content-Type | string | Yes | application/json |
Request Body- Verification data
{
"credential_id": "base64_encoded_credential_id",
"sign_count": 1
}Response- No content on success (HTTP 204)
Error Responses
| Status | Code | Description |
|---|---|---|
| 401 | webauthn_verify_failed | WebAuthn verification failed |
Login with Passkey
Authenticate using a registered passkey.
Endpoint
/auth/admin/webauthn/loginComplete MFA using WebAuthn passkey authentication.
Headers
| Parameter | Type | Required | Description |
|---|---|---|---|
Content-Type | string | Yes | application/json |
Request Body- WebAuthn assertion data
{
"pending_token": "pending_token_from_login",
"credential_id": "base64_encoded_credential_id",
"sign_count": 43
}Response- Authentication tokens
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "dGhpcyBpcyBhIHJlZnJlc2g...",
"token_type": "Bearer",
"expires_in": 3600
}Error Responses
| Status | Code | Description |
|---|---|---|
| 401 | webauthn_login_failed | WebAuthn authentication failed |
| 429 | mfa_locked | Too many failed attempts (10/min, 100/day) |
Delete Passkey
Remove a registered passkey.
Endpoint
/auth/admin/webauthn/credentials/{credentialID}Delete a WebAuthn credential. Cannot delete the last credential if MFA is required.
Headers
| Parameter | Type | Required | Description |
|---|---|---|---|
Authorization | string | Yes | Bearer {access_token} |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
credentialID | string | Yes | UUID of the credential to delete |
Response- No content on success (HTTP 204)
Error Responses
| Status | Code | Description |
|---|---|---|
| 404 | not_found | Credential not found |
| 400 | cannot_delete_last | Cannot delete last MFA method |
Supported Transports
WebAuthn transport methods supported by the platform.
Transport Types
| Transport | Description | Examples |
|---|---|---|
| internal | Platform authenticator | Touch ID, Face ID, Windows Hello |
| usb | USB security key | YubiKey, SoloKey |
| nfc | NFC-enabled device | YubiKey NFC, phone tap |
| ble | Bluetooth | Bluetooth security keys |
| hybrid | Cross-device | Phone as authenticator for computer |