signedPasskeyData
is a short-lived, single-use JSON Web Token (JWT) that confirms a successful passkey authentication with Corbado Connect:
signedPasskeyData
, it should be sent to your application’s backend for verification. Your backend then calls a Corbado Backend API endpoint to verify the token’s authenticity. If the verification is successful, your backend can proceed to create a session for the user.
This process ensures that the passkey login is valid and securely transfers the authentication status from Corbado to your application.
The flow looks as follows:
- Corbado Connect login: A user logs in using their passkey in a web or native/mobile application.
signedPasskeyData
is returned: Upon successful passkey authentication, Corbado’s Frontend API returns asignedPasskeyData
token to your web or native/mobile application.- Backend verification:
Your web or native/mobile application sends the
signedPasskeyData
to your backend. Your backend then makes a secure server-to-server API call to Corbado’s/v2/passkeys/verifySignedData
endpoint to verify the token (see API Reference). - Session creation: If Corbado’s Backend API confirms that the token is valid, your backend creates a session for the user, completing the login process.
- Short-lived & single use:
Each
signedPasskeyData
token is short-lived and can be used only once for verification. This prevents replay attacks and ensures a high level of security.
signedPasskeyData
to securely establish a session.