Verify passkey sign-in WebAuthn authentication

POST /api/experience/verification/sign-in-web-authn/authentication/verify

Verify the passkey sign-in WebAuthn authentication response against the stored authentication challenge. When verificationId is provided, it verifies against the challenge generated by the identifier-based authentication endpoint. When omitted, it verifies against the preflight authentication options stored in the interaction. Upon successful verification, the verification record will be marked as verified and the user will be resolved by the credential if not provided earlier.

application/json

Body Required

  • verificationId string

    The verification ID of the passkey sign-in WebAuthn authentication record. Optional when using discoverable passkey flow with preflight authentication options.

  • payload object Required

    The WebAuthn assertion response from the user's passkey credential.

    Hide payload attributes Show payload attributes object
    • type string("WebAuthn") Required
    • id string Required
    • rawId string Required
    • authenticatorAttachment string

      Values are cross-platform or platform.

    • clientExtensionResults object Required
      Hide clientExtensionResults attributes Show clientExtensionResults attributes object
      • appid boolean
      • crepProps object
        Hide crepProps attribute Show crepProps attribute object
        • rk boolean
      • hmacCreateSecret boolean
    • response object Required
      Hide response attributes Show response attributes object
      • clientDataJSON string Required
      • authenticatorData string Required
      • signature string Required
      • userHandle string

Responses

  • 200 application/json

    The passkey sign-in WebAuthn authentication has been successfully verified.

    Hide response attribute Show response attribute object
    • verificationId string Required

      The unique verification ID of the passkey sign-in WebAuthn authentication verification record.
  • 400

    Invalid request.
    - session.mfa.pending_info_not_found: The WebAuthn authentication challenge is missing in the current verification record.
    - session.mfa.webauthn_verification_failed: The WebAuthn assertion response is invalid or cannot be verified.

  • 404

    Verification session not found.

  • 409

    Identity conflict.
    - session.identity_conflict: The user associated with the verified WebAuthn credential does not match the identified user in the current interaction.

POST /api/experience/verification/sign-in-web-authn/authentication/verify 
curl \
 --request POST 'https://[tenant_id].logto.app/api/experience/verification/sign-in-web-authn/authentication/verify' \
 --header "Content-Type: application/json" \
 --data '{"verificationId":"string","payload":{"type":"string","id":"string","rawId":"string","authenticatorAttachment":"cross-platform","clientExtensionResults":{"appid":true,"crepProps":{"rk":true},"hmacCreateSecret":true},"response":{"clientDataJSON":"string","authenticatorData":"string","signature":"string","userHandle":"string"}}}'
Request examples 
{
  "verificationId": "string",
  "payload": {
    "type": "string",
    "id": "string",
    "rawId": "string",
    "authenticatorAttachment": "cross-platform",
    "clientExtensionResults": {
      "appid": true,
      "crepProps": {
        "rk": true
      },
      "hmacCreateSecret": true
    },
    "response": {
      "clientDataJSON": "string",
      "authenticatorData": "string",
      "signature": "string",
      "userHandle": "string"
    }
  }
}
Response examples (200) 
{
  "verificationId": "string"
}