Create a passkey
CallcreatePasskey with the user’s handle (their chosen alias or identifier). This triggers the browser’s WebAuthn credential creation prompt.
credential is a base64-encoded JSON string ready to pass to client.generate. The credentialId is the raw WebAuthn credential ID — store it if you need to link passkeys across sessions.
If you need to prevent duplicate passkeys on the same device, pass the existing credential IDs in excludeCredentials:
createPasskey throws a WebAuthnError. The error message indicates whether the user cancelled or the authenticator returned an incompatible algorithm (HyperAuth requires ES256 / P-256).
Generate an identity from the passkey
After creating a passkey, pass the serialized credential to the vault to derive the identity and write it to the encrypted database:Authenticate a returning user
authenticatePasskey prompts the user to select and verify an existing passkey. It returns the credential ID of the selected passkey.
Check lock status before operations
If you need to check whether the vault is locked before performing an operation:isLocked calls client.status() internally. If you also need additional status fields, call status directly:
Unlock after lock
If the vault has been locked (by auto-lock or an explicit call), unlock it by supplying the database bytes and the encryption key derived from the passkey:Configure auto-lock
By default the vault locks after 5 minutes of inactivity. Set a custom timeout at creation time:0 to disable auto-lock entirely:
Lock explicitly
Calllock directly when the user signs out or navigates away: