Overview
Authorization keys provide a way to ensure that actions taken by your app’s wallets can only be authorized by an explicit user request. When you specify anowner
of a resource, all requests to update that resource must be signed with this key. This security measure verifies that each request comes from your authorized passkey owner and helps prevent unauthorized operations.
Setting up passkeys
If you need a passkey implementation set up for your application, we recommend using the simpleWebAuthn SDKs, which provides simple passkey registration and authentication flows.Sample passkey registration flow
Sample passkey registration flow
If you have not already done so, install the dependencies necessary for a simple passkey integration.
Next, create the registration verify endpoint:
sh npm install @simplewebauthn/server @simplewebauthn/browser
Server-side registration endpoints
First, create the registration begin endpoint:Client-side registration
Creating and registering wallets with passkey authorization
Follow these steps to create a wallet and register it with a user’s passkey for authorization.- Retrieve the user’s passkey P-256 PEM-formatted public key and send it to your backend.
Converting WebAuthn public key to PEM format (if using simpleWebAuthn)
Converting WebAuthn public key to PEM format (if using simpleWebAuthn)
After registering a passkey, you’ll need to convert the WebAuthn public key from COSE format to PEM format that Privy expects:Use this function after successful passkey registration to get the PEM-formatted public key that Privy requires.
- From your backend, call the Privy API to create a wallet with that P-256 public key as the owner. You can do this via the Privy SDK (below) or by hitting the Privy API directly.
- Associate the returned wallet ID with the user on your backend for use in future requests.
Sending transactions with passkey authorization
Below are the steps necessary to create a transaction request, have the user sign it with their passkey using WebAuthn, and submit the signed request to Privy:- Create and format the transaction request payload
- Sign the payload with the user’s passkey
- Format the authorization signature
- Send the transaction to Privy