Passkey Authentication with Backend SDKs
This guide is meant for developers that are NOT using Descope Flows to design login screens and authentication methods.
If you'd like to use Descope Flows, Quick Start should be your starting point.
WebAuthn lets you authenticate end users using the strong authenticators that are now often built right into devices, including biometrics (fingerprint, facial, or iris recognition) and secure hardware keys (for example, Yubico, CryptoTrust, or Thedis). These secure hardware keys, also known as passkeys, can be USB tokens or embedded security features in smartphones or computers. A typical method for implementing WebAuthn has two sets of functionality to program: user onboarding and session validation.
Backend SDK
Install SDK
Import and initialize SDK
Start Sign-Up
The first step to start the webauthn signup flow is the start signup
process. This function requires a unique loginId which is
used as the loginId for the user and the webauthn credentials are associated with this loginId. Another required parameter is
origin
. The value for this should window.location.origin
from your application client. For extra security Descope checks the value
against the domain setup for your application in the Descope console. The origin value should be either the same or a subdomain of the
domain setting in the console.
Finish Sign-Up
Once you have the transactionId
after initiating sign-up, you will utilize it paired with the response
from
successful biometric completion from the browser. These items will be used within the finish function.
Start Sign-In
The first step to start the webauthn signin flow is the start signin
process. This function requires a unique loginId which is
used as the loginId for the user. Another required parameter is origin
. The value for this should window.location.origin
from
your application client. For extra security Descope checks the value against the domain setup for your application in the Descope
console. The origin value should be either the same or a subdomain of the domain setting in the console.
Finish Sign-In
Once you have the transactionId
after initiating sign-in, you will utilize it paired with the response
from
successful biometric completion from the browser. These items will be used within the finish function.
Start Add User Device
The Start Add User Device
adds a new biometric signature or a device to an existing user account. You should use this
function in scenarios where a user has already authenticated (signup complete) with your service via another method. This function
requires a valid refresh token from another authentication method.
Finish Add User Device
Call Finish Add User Device
after the Start Add User Device
function always. The finish call requires transaction id
and some other information that is returned from the browser.
Session Validation
The final step of completing the authentication with Descope is to validate the user session. Descope provides rich session management capabilities, including configurable session timeouts and logout functions. You can find the details and sample code for backend session validation here.
Checkpoint
Your application is now integrated with Descope. Please test with sign-up or sign-in use case.