Passkey Plus Integration Guide

Passkey Plus can be easily integrated alongside your existing authentication solutions, allowing users to choose their preferred login method while enhancing security through modern authentication protocols.

It can be used both:

during the login process, and
as an additional security layer for sensitive actions (like changing settings or passwords).

1. Obtain Access Token for Management API

Create Passkey Plus application in AuthAction dashboard. Your backend can use the Client Credentials grant to obtain an access token for the AuthAction Management API.

curl --request POST \
  --url https://<tenant-name>.<tenant-region>.authaction.com/oauth2/m2m/token \
  --header 'content-type: application/json' \
  --data '{
    "client_id": "YOUR_PASSKEY_PLUS_CLIENT_ID",
    "client_secret": "YOUR_PASSKEY_PLUS_CLIENT_SECRET",
    "audience": "https://<tenant-name>.<tenant-region>.authaction.com",
    "grant_type": "client_credentials"
  }'

Sample Response:

{
  "access_token": "YOUR_ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 86400
}

2. Create a Passkey Transaction (Backend)

Once you have the access token, use it to initiate a Passkey Plus transaction for registration or authentication.

https://authaction.readme.io/reference/passkeypluscontroller_createregistrationtransaction#/

curl --request POST \
  --url https://<tenant-name>.<tenant-region>.authaction.com/api/v1/passkey-plus/<your-app-id>/transaction/register \
  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
    "externalId": "user-unique-id-in-your-system",
    "displayName": "User Name"
  }'

https://authaction.readme.io/reference/passkeypluscontroller_createauthenticationtransaction#/

curl --request POST \
  --url https://<tenant-name>.<tenant-region>.authaction.com/api/v1/passkey-plus/<your-app-id>/transaction/authenticate \
  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
    "externalId": "user-unique-id-in-your-system",
  }'

Replace <your-app-id> with the actual passkey plus application id.

Sample Response:

{
  "statusCode": 200,
  "message": "success",
  "data": {
    "transactionId": "unique-transaction-id"
  }
}

3. Install and Integrate the Frontend SDK

Install the SDK via NPM:

npm install @authaction/passkey-plus-sdk

Initialize the SDK

import { PasskeyPlus } from "@authaction/passkey-plus-sdk";

const passkeyPlus = new PasskeyPlus({
  tenantDomain: "<tenant-name>.<tenant-region>.authaction.com",
  appId: "your-passkey-plus-app-id",
});

Register with Passkey

const nonce = await passkeyPlus.register("transaction-id", {
  authenticatorAttachment: "platform", // or "cross-platform"
});

Authenticate with Passkey

const nonce = await passkeyPlus.authenticate("transaction-id", {
  isConditionalMediation: true,
});

The SDK handles WebAuthn interactions across modern browsers.

4. Verify the Nonce on Your Backend

Once the SDK returns a nonce, verify it with the backend to ensure it’s valid and not tampered with.

https://authaction.readme.io/reference/passkeypluscontroller_verify#/

curl --request POST \
  --url https://<tenant-name>.<tenant-region>.authaction.com/api/v1/passkey-plus/<your-app-id>/transaction/verify \
  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
    "nonce": "YOUR_NONCE"
  }'

Sample Response:

{
  "statusCode": 200,
  "message": "success",
  "data": {
    "externalId": "user-unique-id",
    "name": "User displayName",
    "verified": true
  }
}

This ensures secure and successful authentication or registration.

Summary

Passkey Plus provides a secure and seamless authentication experience using WebAuthn. You can:

Use it alongside existing login methods
Secure critical user actions with step-up authentication
Seamlessly integrate with both backend and frontend applications