Bitwarden Passwordless.dev is a software toolkit that helps developers build FIDO2 WebAuthn passkeys features for seamless authentication flows.
Using Passwordless.dev means there's no need to read extensive W3C specification documentation, determine what cryptography to implement, or worry about managing stored public keys. The team behind Bitwarden will take care of that for you.
The passwordless-server
project contains the APIs, database, and other core infrastructure items needed for the backend of all passwordless clients. The server project is written in C# using .NET 7 with ASP.NET Core.
To get started using Passwordless.dev:
- Sign up for a free account here.
- Create an application in the admin console.
- Install the Passwordless.dev JavaScript Client library.
- Start building registration and signin flows for your application. Refer to the Passwordless.dev documentation for help. Here are some basic examples to get you started:
Registration:
// Node.js - Code written for this step should run on your backend.
const payload = {
"userId": "107fb578-9559-4540-a0e2-f82ad78852f7", // Required. A WebAuthn User Handle, which should be generated by your application. Max. 64 bytes.
"username": "[email protected]", // Required. A human readable username used for user authentication, should be chosen by the user.
// ...For more options, please see the API reference for /register/token.
};
// POST the payload to the Passwordless.dev API using your API private secret.
const apiUrl = "https://v4.passwordless.dev";
const {token} = await fetch(apiUrl + "/register/token", {
method: "POST",
body: JSON.stringify(payload),
headers: {
"ApiSecret": "myapplication:secret:11f8dd7733744f2596f2a28544b5fbc4",
"Content-Type": "application/json"
}
}).then(r => r.json());
Signin:
// Code written for this step should run on your backend.
// Fetch the verification token from your frontend.
const token = { token: req.query.token };
// POST the verification token to the Passwordless.dev API using your API private secret.
const apiUrl = "https://v4.passwordless.dev";
const response = await fetch(apiurl + "/signin/verify", {
method: "POST",
body: JSON.stringify({token}),
headers: { "ApiSecret": "myapplication:secret:11f8dd7733744f2596f2a28544b5fbc4", "Content-Type": "application/json" }
});
// Cache the API response (see below) to a variable.
const body = await response.json();
// Check the API response for successful verification.
// To see all properties returned by this endpoint, checkout the Backend API Reference for /signin/verify.
if (body.success) {
console.log("Successfully verified sign-in for user.", body);
// Set a cookie/userid.
} else {
console.warn("Sign in failed.", body);
}
We welcome code contributions! Please commit any pull requests against the main
branch. All changes require tests that prove the intended behavior. Please note that large code changes and units of work are less likely to be merged because of the review burden.
Security audits and feedback are welcome. Please open an issue or email us privately if the report is sensitive in nature. You can read our security policy in the SECURITY.md file. We also run a program on HackerOne.
No grant of any rights in the trademarks, service marks, or logos of Bitwarden is made (except as may be necessary to comply with the notice requirements as applicable), and use of any Bitwarden trademarks must comply with Bitwarden Trademark Guidelines.
See CONTRIBUTING.md
See the self-hosting directory for instructions on how to self-host Passwordless.dev.
If you need support from the Passwordless.dev team, send us a message at [email protected].