Skip to main content

Try Demo

Talk to Adoption Engineer

Whitepaper

1. Introduction

To enable passkey-based authentication with Corbado Connect, your backend needs to support your web and mobile applications by providing a session management mechanism and two essential endpoints. In the following sections, we will detail the session handling logic and the implementation of the endpoints.

2. Session Management

Once a user’s identity is verified, your application needs a way to recognize them across subsequent requests. This process is known as session management. There are various strategies for handling sessions, such as maintaining server-side session entries in a database. However, for simplicity and broad applicability across both web and mobile clients, we’ll use a stateless approach with JSON Web Tokens (JWTs). In our backend and examples, we will refer to these JWTs as access tokens, a common industry term.

3. Endpoints

3.1 Create Connect Token

Your backend must expose an endpoint that your frontend applications (web and mobile) can call to obtain a connect token. This endpoint will in turn call Corbado’s Backend API to generate the actual token. Here is an example implementation using Node.js and Express:

3.2 Complete Login

After a user successfully authenticates with a passkey, Corbado Connect generates signedPasskeyData. To complete the login, your backend needs to verify this signedPasskeyData to confirm the user’s identity before creating an access token in your system. Here’s an example of an endpoint that verifies the signedPasskeyData and creates an access token using Node.js and Express: