Overview
Passkeys enable passwordless authentication using biometric sensors (such as fingerprints or facial recognition), PINs, or patterns. Built on WebAuthn standards, passkeys provide a more secure and user-friendly alternative to traditional passwords by leveraging public key cryptography. Unlike passwords, passkeys are resistant to phishing, cannot be reused across sites, and never leave the user’s device.Compatibility
Passkey authentication is supported on modern browsers and devices that support WebAuthn. Check browser compatibility for optimal user experience across desktop and mobile devices.
Passkey extension of the Web client-side SDK.
Use Cases
- Passwordless authentication using device biometrics (fingerprint, Face ID)
- Secure multi-device authentication with synced passkeys
- Simplified login flow without remembering passwords
- Enhanced security with phishing-resistant authentication
Usage
Installation
Passkey login works as an extension to Magic SDK. To add Passkey authentication to your Magic integration, start by installing the Passkey Extension:Initialization
Create your Magic SDK instance with the Passkey extension:JavaScript
Register new users
Register new users with theregisterNewUser function in the passkey extension. You can optionally provide a username and nickname:
- username: Used as a display name in the user’s password manager or authenticator
- nickname: Stored by Magic to help identify the passkey among other registered passkeys
JavaScript
Authenticate users
Authenticate users with thelogin method in the passkey extension. The browser will prompt the user to select and verify their passkey.
Pass showMfaModal: false if you want to handle TOTP MFA verification yourself rather than using Magic’s hosted UI. This is only relevant when users have TOTP MFA enabled alongside passkey login.
JavaScript
TOTP MFA event handling (showMfaModal: false)
When a passkey user also has TOTP MFA enabled, set showMfaModal: false to handle the MFA step with your own UI. Use the event handle to listen for and respond to MFA prompts:
JavaScript
| Event | Direction | Description |
|---|---|---|
PasskeyMFAEventOnReceived.MfaSentHandle | Received | TOTP MFA verification required |
PasskeyMFAEventEmit.VerifyMFACode | Emit | Send the TOTP code for verification |
PasskeyMFAEventOnReceived.InvalidMfaOtp | Received | The TOTP code was invalid |
PasskeyMFAEventEmit.LostDevice | Emit | Signal lost authenticator — initiates recovery code flow |
PasskeyMFAEventOnReceived.RecoveryCodeSentHandle | Received | Recovery code input is required |
PasskeyMFAEventEmit.VerifyRecoveryCode | Emit | Send the recovery code for verification |
PasskeyMFAEventOnReceived.InvalidRecoveryCode | Received | The recovery code was invalid |
PasskeyMFAEventEmit.Cancel | Emit | Cancel the login request |
Return Type
TheregisterNewUser and login methods return a PasskeyResult object:
TypeScript
Get User Metadata
Retrieve passkey-specific metadata with thegetMetadata method in the passkey extension. The response includes information about all devices registered for the current user:
JavaScript
Add a passkey
Add a new passkey to an existing user’s account withaddPasskey. The user must have an active session. This is useful for registering additional devices — for example, letting a user who originally signed up on desktop also register their phone.
JavaScript
| Parameter | Type | Required | Description |
|---|---|---|---|
username | string | No | Display name shown in the browser’s passkey picker |
nickname | string | No | Label stored by Magic to identify this passkey |
Update a passkey
Update a passkey’s nickname withupdatePasskey. Use getMetadata to retrieve the id of the passkey you want to update.
JavaScript
| Parameter | Type | Required | Description |
|---|---|---|---|
passkeyId | string | Yes | The id of the passkey to update, from getMetadata |
nickname | string | Yes | The new label for this passkey |
Remove a passkey
Remove a passkey from the user’s account withremovePasskey. Use getMetadata to retrieve the id of the passkey you want to remove.
JavaScript
| Parameter | Type | Required | Description |
|---|---|---|---|
passkeyId | string | Yes | The id of the passkey to remove, from getMetadata |