Install the Stytch browser SDK; initialize the Stytch client with your public token.
For registration, call stytch.passkeys.register({ user_id }) (or the equivalent SDK method); the SDK fetches the challenge from Stytch's backend, calls navigator.credentials.create, and sends the attestation to Stytch — you do not manage the ceremony directly.
For authentication, call stytch.passkeys.authenticate(); the SDK fetches a challenge, calls navigator.credentials.get, and sends the assertion to Stytch, returning a session token on success.
Stytch returns a Stytch session (session_token and session_jwt) on successful passkey authentication; use this session for subsequent authenticated API calls.
To list or revoke a user's registered passkeys, call the Stytch backend API (server-side with your secret key) GET /v1/users/{user_id} and inspect the webauthn_registrations array; delete via DELETE /v1/webauthn/registrations/{webauthn_registration_id}.
Known gotchas
Stytch's SDK abstracts the WebAuthn ceremony; do not attempt to pass custom PublicKeyCredentialCreationOptions or intercept the navigator.credentials calls — this will break the signature verification chain.
Passkey authentication requires a user gesture (button click); calling the authenticate method outside a user interaction event will be blocked by the browser.
Stytch sessions issued via passkey authentication have a configurable expiry; ensure session_duration_minutes is set appropriately and that your session refresh logic handles passkey-authenticated sessions the same as password-authenticated ones.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp