demo

Try our demo application to see how Corbado Connect integrates passkeys into your application.
 The signedPasskeyData is a short-lived, single-use JSON Web Token (JWT) that confirms a successful passkey authentication with Corbado Connect: 
eyJhbGciOiJSUzI1NiIsImtpZCI6InBraS01MTc3MzQ2NzY5MTkxNjgyNTg5IiwidHlwIjoiSldUIn0.eyJpc3MiOiJwcm8tNzgxNTI5NjI5Mzk0MDg4MTYyMCIsInN1YiI6InVzci02NzYxMzgwNzg3MzIzNDUzMTciLCJleHAiOjE3NTMyMDkwNzMsIm5iZiI6MTc1MzIwODc2MywiaWF0IjoxNzUzMjA4NzczLCJqdGkiOiJiTWpveWJnRENCQVhvbEh0bWlvTnN5dHlWQ2FSS24iLCJwcm9jZXNzSWQiOiJKY1ptbWFTUlFJMVZQRFRaTW1WMSIsInVzZXJuYW1lIjoiIiwiY3JlZGVudGlhbCI6ImNyZS0xMzU2NjYzMDA1MjA0MDQ2MDc3NCIsImNoYWxsZW5nZUlkIjoid2FzLTU0MzYzNzg4NTAxNzYzNzYyMTgiLCJ3ZWJhdXRobklkIjoiYzM2NGE4NTItMDA3MS03MGE0LTBmZTgtZWQ1NzI4YWE5NTIyIiwiaXNDVUkiOmZhbHNlfQ.dFvzxf7t0rdFueaLXLRD0K4hNIXhpm-vMWOaq_PRM_S3J4EO8TYg5fglAPHtdaMhvKPsKxxXtiOVt2DR5t7-AZSmlxdqyRJavV-ffRflJ5ZihfAqGrSMvD8-eN6xv81Nv46SSTKvWvDvImeCwxIvLxzuz4uOPGOVbqRqFYBgXJ4OMkXEN9SiS2ygA-KSvkJ7W1mdgumI4nWjHxNXn_BbtKZihQur6rf4WuZq1heo_SACvAZ8JJPSlUOMRESrjn1RhbBnhAL3v-0ppaMnHlLiLB5tLcvmdohJ6Ws9kcebVJE9d53Hfrzm2thyyg3MgFj0gZdjBzF-0ugqhsjXKIzLrQ
This token acts as the crucial link between Corbado Connect’s passkey authentication and your authentication system, which ultimately needs to establish a session for the user. It is returned by the Corbado Frontend API upon a successful passkey login. After the frontend receives the signedPasskeyData, it should be sent to your application’s backend for verification. Your backend then calls a Corbado Backend API endpoint to verify the token’s authenticity. If the verification is successful, your backend can proceed to create a session for the user. This process ensures that the passkey login is valid and securely transfers the authentication status from Corbado to your application. The flow looks as follows:
  1. Corbado Connect login: A user logs in using their passkey in a web or native/mobile application.
  2. signedPasskeyData is returned: Upon successful passkey authentication, Corbado’s Frontend API returns a signedPasskeyData token to your web or native/mobile application.
  3. Backend verification: Your web or native/mobile application sends the signedPasskeyData to your backend. Your backend then makes a secure server-to-server API call to Corbado’s /v2/passkeys/verifySignedData endpoint to verify the token (see API Reference).
  4. Session creation: If Corbado’s Backend API confirms that the token is valid, your backend creates a session for the user, completing the login process.
  5. Short-lived & single use: Each signedPasskeyData token is short-lived and can be used only once for verification. This prevents replay attacks and ensures a high level of security.
In summary, every time a user logs in using a passkey, your application’s backend needs to verify the signedPasskeyData to securely establish a session.