npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@passkeykit/client

v2.0.0

Published

Client-side WebAuthn passkey helpers for browser-based registration and authentication

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

danieltechdevdanieltechdev

Keywords

webauthnpasskeyfido2authenticationbrowser

Readme

@passkeykit/client

Browser-side WebAuthn passkey authentication. Handles the registration and authentication ceremonies with zero configuration — just point it at your server.

Works with @passkeykit/server or any WebAuthn server that follows the standard challenge-response pattern.

npm license

Install

npm install @passkeykit/client

Quick Start

import { PasskeyClient, isWebAuthnAvailable } from '@passkeykit/client';

const client = new PasskeyClient({
  serverUrl: '/api/auth/passkey',
});

// Check browser support
if (isWebAuthnAvailable()) {
  // Register a new passkey
  const reg = await client.register('user-123', 'My MacBook');
  console.log('Registered:', reg.credentialId);

  // Authenticate with a passkey
  const auth = await client.authenticate();
  console.log('Authenticated as:', auth.userId);
}

API

new PasskeyClient(config)

| Option | Type | Description | |--------|------|-------------| | serverUrl | string | Required. Base URL of the passkey API (e.g. /api/auth/passkey) | | fetch | typeof fetch | Custom fetch function (e.g. to add auth headers). Defaults to globalThis.fetch | | headers | Record<string, string> | Extra headers included in every request | | extraBody | Record<string, unknown> | Extra fields merged into every request body. Useful for multi-app servers that need rpId/rpName per request |

client.register(userId, credentialName?, opts?)

Registers a new passkey for a user.

  1. Fetches registration options from the server
  2. Triggers the browser's WebAuthn prompt (TouchID / FaceID / Windows Hello / security key)
  3. Sends the attestation back for server-side verification
const result = await client.register('user-123', 'My Phone', {
  authenticatorAttachment: 'platform',  // 'platform' | 'cross-platform'
  residentKey: 'preferred',             // 'required' | 'preferred' | 'discouraged'
  userVerification: 'preferred',        // 'required' | 'preferred' | 'discouraged'
});
// → { verified: true, credentialId: '...', credentialName: 'My Phone' }

client.authenticate(userId?, opts?)

Authenticates with a passkey.

  • Without userId: Discoverable credential flow — the browser picks the passkey
  • With userId: Server hints which credentials to use
const result = await client.authenticate();
// → { verified: true, userId: 'user-123', credentialId: '...' }

isWebAuthnAvailable()

Returns true if the browser supports WebAuthn (PublicKeyCredential + navigator.credentials).

import { isWebAuthnAvailable } from '@passkeykit/client';

if (!isWebAuthnAvailable()) {
  console.log('Passkeys not supported in this browser');
}

isPlatformAuthenticatorAvailable()

Async check for platform authenticator support (TouchID, FaceID, Windows Hello).

import { isPlatformAuthenticatorAvailable } from '@passkeykit/client';

if (await isPlatformAuthenticatorAvailable()) {
  // Show "Add Passkey" button
}

Multi-App Server

When multiple apps share one passkey server, use extraBody to specify the relying party:

const client = new PasskeyClient({
  serverUrl: 'https://auth.example.com/api/passkey',
  extraBody: {
    rpId: 'myapp.example.com',
    rpName: 'My App',
  },
});

Stateless Mode

When used with @passkeykit/server in stateless mode, the client automatically handles challengeToken round-tripping — no extra config needed. The token is returned by the server in the options response and sent back during verification.

Error Handling

All errors thrown by the client are typed PasskeyError with machine-readable error codes:

import { PasskeyClient, PasskeyError } from '@passkeykit/client';

try {
  await client.authenticate();
} catch (err) {
  if (err instanceof PasskeyError) {
    if (err.isCancelled) {
      // User closed the WebAuthn prompt — not a real error
      return;
    }
    switch (err.code) {
      case 'NETWORK_ERROR':  console.log('Check your connection'); break;
      case 'SERVER_ERROR':   console.log(`Server: ${err.message} (${err.statusCode})`); break;
      case 'NOT_SUPPORTED':  console.log('WebAuthn not available'); break;
      default:               console.log('Unknown error:', err.message);
    }
  }
}

Error codes:

| Code | Meaning | |------|---------| | USER_CANCELLED | User closed the WebAuthn prompt | | SERVER_ERROR | HTTP error from the server (includes statusCode) | | NETWORK_ERROR | Fetch failed (offline, CORS, etc.) | | NOT_SUPPORTED | WebAuthn not supported or blocked by security policy | | INVALID_RESPONSE | Server returned unexpected data | | UNKNOWN | Unrecognized error |

Server Pairing

This package is designed to work with @passkeykit/server, but it's compatible with any server that exposes:

  • POST /register/options → returns WebAuthn registration options
  • POST /register/verify → verifies the attestation response
  • POST /authenticate/options → returns WebAuthn authentication options
  • POST /authenticate/verify → verifies the assertion response

License

MIT — GitHub