Expo Passkey

0.3.12 · active · verified Wed Apr 22

Expo Passkey is a cross-platform (iOS, Android, Web) module designed for Expo applications, providing comprehensive FIDO2/WebAuthn passkey authentication. It seamlessly integrates with the Better Auth ecosystem, offering an end-to-end solution for modern, frictionless biometric and platform authenticator-based login experiences. Currently at version 0.3.12, the package maintains an active development pace, demonstrated by recent critical security patches and breaking changes introduced in October 2025. Key differentiators include its unified passkey table structure that operates consistently across all supported platforms, seamless synchronization with iCloud Keychain and Google Password Manager for cross-device portability, and granular client-controlled WebAuthn security preferences, all built upon a robust framework emphasizing session-validated security for critical operations like registration and revocation.

Common errors

```
401 Unauthorized error when attempting passkey authentication, even for unauthenticated users.
```
cause The backend's authentication challenge endpoint is incorrectly requiring an authenticated session before `v0.3.6`.

fix Upgrade `expo-passkey` to `v0.3.6` or later, and ensure your server-side endpoint for initiating passkey authentication does not enforce a prior user session.
```
Security vulnerabilities or 'Invalid userId' warnings reported for passkey registration/revocation.
```
cause Server-side code is accepting `userId` from client requests for sensitive operations, making it susceptible to manipulation (pre-`v0.3.0`).

fix Upgrade `expo-passkey` to `v0.3.0` or higher. On the backend, always obtain `userId` for passkey registration and revocation from the authenticated user's session, ignoring any `userId` sent from the client.
```
TypeError: revokePasskey is not a function or Argument of type '{ userId: string; credentialId: string; }' is not assignable to parameter of type '{ credentialId: string; }'.
```
cause Attempting to pass the `userId` parameter to `revokePasskey` after it was removed in `v0.3.0`.

fix Remove the `userId` parameter from `revokePasskey` calls in your client-side code. Ensure an authenticated session is established before calling `revokePasskey`.
```
Module not found: Can't resolve '@better-auth/expo' in '...' or similar peer dependency resolution errors.
```
cause A required peer dependency, such as `@better-auth/expo`, `expo-secure-store`, or `@simplewebauthn/server`, is either not installed or its version is incompatible.

fix Install all specified peer dependencies manually using your package manager (e.g., `npm install @better-auth/expo expo-secure-store @simplewebauthn/server`). Check the `package.json` for exact version requirements and ensure compatibility.

Warnings

breaking The `revokePasskey()` function no longer accepts a `userId` parameter. Additionally, both registration and revocation operations now strictly require an authenticated session on your backend. Attempting these operations without a valid session will result in a `401 Unauthorized` error.
Fix: Update client-side calls to `revokePasskey()` by removing the `userId` parameter. Ensure your application establishes an authenticated user session before initiating passkey registration or revocation. Your backend must derive the `userId` for these operations solely from the authenticated session, not from client-provided data.
breaking A critical account takeover vulnerability was present in versions prior to `v0.3.0`. The server was validating the `userId` from client requests for critical operations, which could be manipulated. This has been patched to enforce server-side validation of `userId` exclusively from the authenticated session.
Fix: Immediately upgrade `expo-passkey` to `v0.3.0` or a later version. On your backend, modify all passkey-related endpoints to ensure the `userId` is obtained and validated *only* from the authenticated user's session, disallowing `userId` from client request bodies for security-sensitive actions.
gotcha In versions prior to `v0.3.6`, authentication challenge endpoints sometimes incorrectly failed with a `401 Unauthorized` status for unauthenticated users. This bug prevented a smooth login flow where a user might initiate authentication without being logged in first.
Fix: Upgrade `expo-passkey` to `v0.3.6` or later. Verify that your backend's authentication challenge endpoint (e.g., `/passkey/authenticate/start`) is configured to *not* require a pre-existing authenticated session, allowing any user to request a challenge.
gotcha `expo-passkey` relies on a substantial list of peer dependencies, including core Expo modules (e.g., `expo-secure-store`, `expo-local-authentication`), `better-auth` components, `@simplewebauthn/server` (for server integration), and `zod`. Missing or incompatible versions of these dependencies can lead to runtime errors, build failures, or unexpected behavior.
Fix: Carefully review the `peerDependencies` listed in `expo-passkey`'s `package.json`. Ensure all required packages are installed in your project at compatible versions. For example, run `npm install @better-auth/expo better-auth @simplewebauthn/server expo expo-application expo-crypto expo-device expo-local-authentication expo-secure-store react react-native zod` and verify versions match.

Install

npm install expo-passkey npm
yarn add expo-passkey yarn
pnpm add expo-passkey pnpm

Imports

registerPasskey, authenticatePasskey, revokePasskey
wrong:
```
const { registerPasskey } = require('expo-passkey');
```
correct:
```
import { registerPasskey, authenticatePasskey, revokePasskey } from 'expo-passkey';
```
Expo Passkey ships as an ES Module (ESM) and is TypeScript-ready. CommonJS `require` syntax will not work.
PasskeyStatus
wrong:
```
import PasskeyStatus from 'expo-passkey';
```
correct:
```
import { PasskeyStatus } from 'expo-passkey';
```
A named export providing utilities like `isSupported()` for checking passkey availability. Do not use as a default import.
RegisterPasskeyOptions, AuthenticatePasskeyOptions
wrong:
```
import { RegisterPasskeyOptions, AuthenticatePasskeyOptions } from 'expo-passkey';
```
correct:
```
import type { RegisterPasskeyOptions, AuthenticatePasskeyOptions } from 'expo-passkey';
```
These are TypeScript type definitions. Use `import type` to avoid bundling unnecessary runtime code, especially in environments that don't strip type imports.

Quickstart

This quickstart demonstrates the client-side flow for registering and authenticating a passkey in an Expo application. It illustrates the typical three-step process: obtaining a challenge from a backend server, performing the client-side WebAuthn operation, and sending the result back to the server for verification, including considerations for web platform support.

import { registerPasskey, authenticatePasskey, PasskeyStatus } from 'expo-passkey';
import * as WebBrowser from 'expo-web-browser';
import { Platform } from 'react-native';

const API_BASE_URL = 'https://your-backend.com/api'; // Replace with your backend URL

async function handlePasskeyRegistration(userId: string) {
  try {
    console.log('Initiating passkey registration...');
    const response = await fetch(`${API_BASE_URL}/passkey/register/start`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ userId }), // Send userId to backend for challenge generation
    });
    const { challengeOptions } = await response.json();

    const registrationResult = await registerPasskey({
      challenge: challengeOptions,
      openWebBrowserAsync: Platform.OS === 'web' ? WebBrowser.openBrowserAsync : undefined,
    });

    const verificationResponse = await fetch(`${API_BASE_URL}/passkey/register/complete`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify(registrationResult),
    });

    if (verificationResponse.ok) {
      console.log('Passkey registered successfully!');
      return true;
    } else {
      const error = await verificationResponse.json();
      console.error('Passkey registration failed on server:', error);
      return false;
    }
  } catch (error) {
    console.error('Error during passkey registration:', error);
    return false;
  }
}

async function handlePasskeyAuthentication() {
  try {
    console.log('Initiating passkey authentication...');
    const response = await fetch(`${API_BASE_URL}/passkey/authenticate/start`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      // No userId sent for auth challenge since v0.3.6
    });
    const { challengeOptions } = await response.json();

    const authenticationResult = await authenticatePasskey({
      challenge: challengeOptions,
      openWebBrowserAsync: Platform.OS === 'web' ? WebBrowser.openBrowserAsync : undefined,
    });

    const verificationResponse = await fetch(`${API_BASE_URL}/passkey/authenticate/complete`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify(authenticationResult),
    });

    if (verificationResponse.ok) {
      const { user } = await verificationResponse.json(); // Backend might return user info
      console.log('Passkey authenticated successfully for user:', user?.id || 'unknown');
      return user;
    } else {
      const error = await verificationResponse.json();
      console.error('Passkey authentication failed on server:', error);
      return null;
    }
  } catch (error) {
    console.error('Error during passkey authentication:', error);
    return null;
  }
}

// Example of checking passkey support (e.g., in a useEffect hook)
// async function checkPasskeySupport() {
//   const supported = await PasskeyStatus.isSupported();
//   console.log('Passkey authentication supported:', supported);
// }
// checkPasskeySupport();

view raw JSON →