Start a Passkey Challenge

Endpoint

POST /passkey/challenge Request a passkey challenge so a user can authenticate to your Native or Web application using a previously registered passkey. The endpoint returns the WebAuthn parameters your application uses to invoke the platform authenticator, and an auth_session value you exchange for tokens at /oauth/token using the passkey grant. This endpoint backs the Passkey APIs for Native and Web applications. Use this endpoint in combination with the Auth0 token exchange for passkey grant type.

Remarks

The application’s grant types must include: urn:okta:params:oauth:grant-type:webauthn.
The application must be a first-party application. Third-party applications are not allowed to call this endpoint.
The application must be OIDC conformant.
The request must be made against a custom domain configured for your tenant. Calls to the default Auth0 domain ({tenant}.auth0.com) are rejected.

Request Body

client_id

string

required

The client_id of your application.

client_secret

string

The client_secret of your application. Required for confidential applications using the client_secret_post token endpoint authentication method.

realm

string

Name of the database connection to authenticate against. If omitted, Auth0 uses your tenant’s default database connection for the application.

organization

string

ID of the Auth0 Organization to which the user is signing in. Required when the application’s organization_usage is set to require.

Response

A successful response contains the WebAuthn parameters your application passes to the platform authenticator and an auth_session value that ties the subsequent assertion to this challenge.

auth_session

string

Opaque session identifier. Pass it in the token exchange request that completes the passkey login.

authn_params_public_key

object

WebAuthn PublicKeyCredentialRequestOptions to invoke on the platform authenticator.

Show properties

challenge

string

Server-generated challenge that the authenticator must sign.

timeout

integer

Lifetime of the challenge in milliseconds. The challenge expires after this period and cannot be reused.

rpId

string

Relying party identifier (RP ID). Defaults to the tenant custom domain. When the tenant has a custom relying party identifier configured, Auth0 returns the rp.id value instead.

userVerification

string

WebAuthn user verification requirement. Always returns preferred.

Status	Description
200	Challenge generated successfully.
400	Invalid request. Common causes include missing or invalid parameters, the application is not configured for passkey authentication, the request was not made against a custom domain, or the application is third-party.
401	Unauthorized. Invalid client credentials.
404	The Passkey APIs are not enabled for the tenant.
429	Too many requests. Per-IP rate limit exceeded.

Documentation Index

​Endpoint

​Remarks

​Request Body

​Response

Endpoint

Remarks

Request Body

Response