Skip to main content
Version: v1

Bind Passkey To User

Prerequisites

Overview

In order to authenticate with Beyond Identity, you need a Universal Passkeys. This guide will walk you through binding a passkey to an identity.

Passkeys are generated through a binding job. On creation of a binding job, a binding link will be generated. That binding link can be used in the Embedded SDK to bind a passkey to a specific device or browser. This passkey will be stored in the user's device's hardware root of trust (i.e. secure enclave).

Bind Passkey with Admin Console

A passkey can be bound to an identity directly from the Beyond Identity Admin Console. Under the realm that hosts your application, look for the "PROJECT MANAGEMENT" tab and select "Identities". A list of identities should be displayed. Tap on an identity that you would like to bind to a passkey. Next click on the "Add a passkey" button. Select an application and click "Proceed & send email".

The user will receive a registration email with a link to generate a passkey. Clicking the link will redirect the end user to the Beyond Identity Cloud. The Beyond Identity Cloud will look up the Authenticator Config that is associated with that passkey creation link and redirect the end user to your application using the Authenticator Config's Invoke URL.

Bind Passkey by API

Before making any API calls you'll want to generate an API access token. Check out API Tokens for help creating an access token.

A binding job can be generated through the Beyond Identity API. There are two delivery_method options to consider:

  1. RETURN: indicates that a binding link will be returned to the caller upon creation of the binding job. The developer can then deliver that link to the end user however they want (in-line, sms, email, etc). This is the suggested method if you want the end user to create a passkey without having to leave your application.
  2. EMAIL: indicates that a passkey creation email will be sent to the end user. The end user will receive the email and click the passkey creation link. Clicking the link will redirect the end user to the Beyond Identity Cloud. Beyond Identity Cloud will look up the Authenticator Config that is associated with that passkey creation link and redirect the end user to the Authenticator Config's Invoke URL with an appended /bind path. The Invoke URL should be an HTTP request handler in your application. Once the user has been redirected to your application, you as the developer can handle the binding link in the SDK.

Setup your backend

Get Access Token for API calls

Before making any API calls you'll want to generate an API access token. Check out API Tokens for help with creating an access token.

Create an Identity

If the user is creating a new account, you'll want to create an identity with the user's information such as email address and username. Collect this information on your front end and create the identity on your backend. You'll need the identityId to bind to a passkey. Check out User Provisioning for help creating an identity.

In order to get a binding link for a passkey, you need to create a binding job for an existing identity. The following code snippet uses the RETURN delivery method. This is the fastest way to get a binding link as this method indicates that a binding link will be returned to the caller upon creation of the binding job. This binding link is the link you will send to your application to complete the passkey binding process.

/credential-binding-jobs
1
2
3
4
5
curl "https://api-$(REGION).beyondidentity.com/v1/tenants/$(TENANT_ID)/realms/$(REALM_ID)/identities/$(IDENTITY_ID)/credential-binding-jobs" \
-X POST \
-H "Authorization: Bearer $(API_TOKEN)" \
-H "Content-Type: application/json" \
-d "{\"job\":{\"delivery_method\":\"RETURN\",\"authenticator_config_id\":\"$(AUTHENTICATOR_CONFIG_ID)\"}}"

Setup your front end

Once you have a binding link generated, feed that link into your application to complete the binding process. You'll need to query your backend for the link and then feed it into the SDK. Upon success, a private key will have been created in the device's hardware trust module and the corresponding public key will have been sent to the Beyond Identity Cloud. At this point the user has a passkey enrolled on this device.

Don't forget to initalize your SDK ahead of time. For more information see SDK Setup.

const bindResponse = await embedded.bindPasskey(bindingLink);
console.log(bindResponse);