{"id":"691ee772-0738-496d-9205-20e6af444e4d","task":"Implement Stytch passkeys registration and authentication in a web application","domain":"stytch.com","steps":["Install the Stytch browser SDK; initialize the Stytch client with your public token.","For registration, call stytch.passkeys.register({ user_id }) (or the equivalent SDK method); the SDK fetches the challenge from Stytch's backend, calls navigator.credentials.create, and sends the attestation to Stytch — you do not manage the ceremony directly.","For authentication, call stytch.passkeys.authenticate(); the SDK fetches a challenge, calls navigator.credentials.get, and sends the assertion to Stytch, returning a session token on success.","Stytch returns a Stytch session (session_token and session_jwt) on successful passkey authentication; use this session for subsequent authenticated API calls.","To list or revoke a user's registered passkeys, call the Stytch backend API (server-side with your secret key) GET /v1/users/{user_id} and inspect the webauthn_registrations array; delete via DELETE /v1/webauthn/registrations/{webauthn_registration_id}."],"gotchas":["Stytch's SDK abstracts the WebAuthn ceremony; do not attempt to pass custom PublicKeyCredentialCreationOptions or intercept the navigator.credentials calls — this will break the signature verification chain.","Passkey authentication requires a user gesture (button click); calling the authenticate method outside a user interaction event will be blocked by the browser.","Stytch sessions issued via passkey authentication have a configurable expiry; ensure session_duration_minutes is set appropriately and that your session refresh logic handles passkey-authenticated sessions the same as password-authenticated ones."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/691ee772-0738-496d-9205-20e6af444e4d"}