Register a New User With a Passkey

Endpoint

POST /passkey/register Initiate passkey registration for a new user during sign up. The endpoint creates a passkey enrollment session, validates the supplied user profile against the database connection’s signup attributes, and returns the WebAuthn creation parameters your application passes to the platform authenticator. After the authenticator returns an attestation, you complete enrollment by exchanging the assertion at /oauth/token using the passkey grant.

Remarks

The application’s grant types must include: urn:okta:params:oauth:grant-type:webauthn.
The application must be a first-party application. Third-party applications are not allowed to call this endpoint.
The application must be OIDC conformant.
The request must be made against a custom domain configured for your tenant. Calls to the default Auth0 domain ({tenant}.auth0.com) are rejected.
user_profile must contain every identifier marked required for signup on the connection (commonly email, phone_number, or username). Additional identifiers may be optional.
A user is identified as already-existing through any of the configured identifiers; if any submitted identifier resolves to an existing user, the request fails with invalid_request.

Request Body

client_id

string

required

The client_id of your application.

client_secret

string

The client_secret of your application. Required for confidential applications using the client_secret_post token endpoint authentication method.

realm

string

Name of the database connection the user is signing up against. If omitted, Auth0 uses your tenant’s default database connection for the application.

organization

string

ID of the Auth0 Organization to which the user is signing in. Required when the application’s organization_usage is set to require.

user_profile

object

required

Profile attributes for the new user. Properties must match the signup attributes (required and optional) configured on the database connection. Unrecognized properties cause the request to fail with invalid_request.

Show properties

string

User’s email address.

phone_number

string

User’s phone number in E.164 format (1–30 characters, international + prefix). For example, +14155552671.

username

string

User’s username. Validates against the connection’s username policy (length and allowed characters).

name

string

Full name (1–300 characters).

given_name

string

Given name (1–150 characters).

family_name

string

Family name (1–150 characters).

nickname

string

Nickname (1–300 characters).

picture

string

URL pointing to the user’s profile picture.

user_metadata

object

Optional user metadata to attach to the new user. Up to 10 string fields.

Response

A successful response contains the WebAuthn creation parameters and an auth_session value that ties the subsequent attestation to this registration request.

auth_session

string

Opaque session identifier. Pass it in the token exchange request that completes the passkey registration.

authn_params_public_key

object

WebAuthn PublicKeyCredentialCreationOptions to invoke on the platform authenticator.

Show properties

challenge

string

Auth0-generated challenge the authenticator must sign during attestation.

timeout

integer

Lifetime of the challenge in milliseconds.

object

Relying party identity.

Show properties

string

Relying party identifier (RP ID). Defaults to the tenant custom domain or the configured custom Relying party identifier.

name

string

Relying party display name. Returned identical to rp.id.

user

object

WebAuthn user handle to which you bind the new credential.

Show properties

string

Server-generated user handle.

name

string

User-facing identifier (typically the highest-precedence value supplied in user_profile, such as email).

displayName

string

Display name (user_profile.name if provided, otherwise the chosen identifier).

pubKeyCredParams

array

Allowed credential public-key algorithms in preference order. Auth0 returns EdDSA (-8), ES256 (-7), and RS256 (-257).

authenticatorSelection

object

Authenticator selection criteria.

Show properties

residentKey

string

Resident key requirement. Always returns required.

userVerification

string

User verification requirement. Always returns preferred.

Status	Description
200	Registration challenge generated successfully.
400	Invalid request. Common causes include missing required `user_profile` identifiers, an invalid `user_profile` field, an invalid `user_metadata` field, the user already exists, the application is not configured for passkey authentication, the request was not made against a custom domain, or the application is third-party.
401	Unauthorized. Invalid client credentials.
404	The Passkey APIs are not enabled for the tenant.
429	Too many requests. Per-IP rate limit exceeded.

Documentation Index

​Endpoint

​Remarks

​Request Body

​Response

Endpoint

Remarks

Request Body

Response