Skip to main content

Try Demo

Talk to Adoption Engineer

Whitepaper
The signedPasskeyData is a short-lived, single-use JSON Web Token (JWT) that confirms a successful passkey authentication with Corbado Connect: 
{
  "iss": "pro-7815296293940881620",
  "sub": "usr-676138078732345317",
  "exp": 1753209073,
  "nbf": 1753208763,
  "iat": 1753208773,
  "jti": "bMjoybgDCBAXolHtmioNsytyVCaRKn",
  "processId": "JcZmmaSRQI1VPDTZMmV1",
  "username": "",
  "credential": "cre-13566630052040460774",
  "challengeId": "was-5436378850176376218",
  "webauthnId": "c364a852-0071-70a4-0fe8-ed5728aa9522",
  "isCUI": false
}
This token acts as the crucial link between Corbado Connect’s passkey authentication and your authentication system, which ultimately needs to establish a session for the user. It is returned by the Corbado Frontend API upon a successful passkey login. After the frontend receives the signedPasskeyData, it should be sent to your application’s backend for verification. Your backend then calls a Corbado Backend API endpoint to verify the token’s authenticity. If the verification is successful, your backend can proceed to create a session for the user. This process ensures that the passkey login is valid and securely transfers the authentication status from Corbado to your application. The flow looks as follows:
  1. Corbado Connect login: A user logs in using their passkey in a web or native/mobile application.
  2. signedPasskeyData is returned: Upon successful passkey authentication, Corbado’s Frontend API returns a signedPasskeyData token to your web or native/mobile application.
  3. Backend verification: Your web or native/mobile application sends the signedPasskeyData to your backend. Your backend then makes a secure server-to-server API call to Corbado’s /v2/passkeys/verifySignedData endpoint to verify the token (see API Reference).
  4. Session creation: If Corbado’s Backend API confirms that the token is valid, your backend creates a session for the user, completing the login process.
  5. Short-lived & single use: Each signedPasskeyData token is short-lived and can be used only once for verification. This prevents replay attacks and ensures a high level of security.
In summary, every time a user logs in using a passkey, your application’s backend needs to verify the signedPasskeyData to securely establish a session.
I