Skip to main content
Version: v2

Passkey creation & binding

Last updated on

Passkeys are created through binding jobs where a binding link gets generated to bind a passkey to a specific device or browser. This passkey gets stored in the user's device's hardware root of trust (i.e., secure enclave).

The high-level flow for binding a passkey is:

  1. A passkey creation link is created using the Beyond Identity APIs.

  2. The passkey creation link is delivered to the Beyond Identity SDK that is running on your user's device. Beyond Identity provides two methods for delivering a passkey creation link using the Beyond Identity API:

    1. Generate a passkey link and deliver it to your users how you want (in-line, SMS, email, etc.).

    2. Send your users an email with a link to create their passkey.

  3. The passkey creation link is passked to the Beyond Identity SDK bindPasskey() function. A private key gets generated, stored in the device's hardware trust module, and the public key gets stored in the Beyond Identity Cloud.