Docs
Browse docs

Passkeys (WebAuthn)

Phishing-resistant, biometric-friendly sign-in. Backed by@simplewebauthn/server, stored per-user inpasskey_credentials, fully interoperable with iOS / Android / Chrome / 1Password / Bitwarden.

Copy this quickstart guide as a prompt for LLMs to implement KolayLogin in your application.

Configure

  • KL_WEBAUTHN_RP_ID — your app's effective domain (e.g. example.com).
  • KL_WEBAUTHN_RP_NAME — display name shown to the user during passkey creation.
  • KL_WEBAUTHN_ORIGIN — e.g. https://app.example.com.
  • Enable in the instance config (authConfig.passkey = true).

Register a passkey (signed-in user)

// 1. Ask the API for a challenge
const beginRes = await fetch(base + '/v1/auth/me/passkeys/register/begin', {
  method: 'POST',
  credentials: 'include',
});
const options = await beginRes.json();

// 2. Hand off to the browser's WebAuthn API
const { startRegistration } = await import('@simplewebauthn/browser');
const attResp = await startRegistration(options);

// 3. Complete on the server
await fetch(base + '/v1/auth/me/passkeys/register/complete', {
  method: 'POST',
  credentials: 'include',
  headers: { 'content-type': 'application/json' },
  body: JSON.stringify({ response: attResp }),
});

Sign in with a passkey

const beginRes = await fetch(base + '/v1/auth/passkeys/authenticate/begin', {
  method: 'POST',
  headers: { 'content-type': 'application/json' },
  body: JSON.stringify({ email }),
});
const options = await beginRes.json();

const { startAuthentication } = await import('@simplewebauthn/browser');
const auth = await startAuthentication(options);

const res = await fetch(base + '/v1/auth/passkeys/authenticate/complete', {
  method: 'POST',
  credentials: 'include',
  headers: { 'content-type': 'application/json' },
  body: JSON.stringify({ response: auth }),
});
if (res.ok) window.location.href = '/dashboard';
HTTPS required
WebAuthn only works on secure origins. Use a real TLS cert in staging (mkcert, Caddy, Cloudflare Tunnel, or a custom CA imported into the OS trust store).

Endpoints

  • POST /v1/auth/me/passkeys/register/begin (auth)
  • POST /v1/auth/me/passkeys/register/complete (auth)
  • POST /v1/auth/passkeys/authenticate/begin
  • POST /v1/auth/passkeys/authenticate/complete
← Previous
OAuth (Google, GitHub)
Next →
Sessions & refresh