Skip to main content
This guide shows you how to register a new passkey, authenticate a returning user, and manage vault lock state.

Create a passkey

Call createPasskey with the user’s handle (their chosen alias or identifier). This triggers the browser’s WebAuthn credential creation prompt.
The returned credential is a base64-encoded JSON string ready to pass to client.generate. The credentialId is the raw WebAuthn credential ID — store it if you need to link passkeys across sessions. If you need to prevent duplicate passkeys on the same device, pass the existing credential IDs in excludeCredentials:
If the passkey creation fails due to a cancelled prompt or an unsupported algorithm, createPasskey throws a WebAuthnError. The error message indicates whether the user cancelled or the authenticator returned an incompatible algorithm (HyperAuth requires ES256 / P-256).

Generate an identity from the passkey

After creating a passkey, pass the serialized credential to the vault to derive the identity and write it to the encrypted database:

Authenticate a returning user

authenticatePasskey prompts the user to select and verify an existing passkey. It returns the credential ID of the selected passkey.
If you serve from a custom domain, pass the relying party ID explicitly:
Use the returned credential ID to locate the user’s encrypted vault database, then load it:

Check lock status before operations

If you need to check whether the vault is locked before performing an operation:
isLocked calls client.status() internally. If you also need additional status fields, call status directly:

Unlock after lock

If the vault has been locked (by auto-lock or an explicit call), unlock it by supplying the database bytes and the encryption key derived from the passkey:

Configure auto-lock

By default the vault locks after 5 minutes of inactivity. Set a custom timeout at creation time:
Set it to 0 to disable auto-lock entirely:
To change the timeout after client creation:
Register a callback to be notified when auto-lock fires. The callback receives the encrypted database bytes so you can persist them:

Lock explicitly

Call lock directly when the user signs out or navigates away: