Laravel Magazine

Laravel Passkeys Server v0.1.0

Eric Van Johnson · News Releases
Laravel Passkeys Server v0.1.0

@joetannenbaum has shipped the initial release of laravel/passkeys-server, a first-party Laravel package that brings WebAuthn passkey authentication to your application. This is v0.1.0, a ground-up implementation designed to pair with the @laravel/passkeys npm client on the frontend.

Getting Started

The entry point is the PasskeyAuthenticatable trait. Add it to your User model and the package takes care of the rest.

use Laravel\PasskeysServer\PasskeyAuthenticatable;

class User extends Authenticatable
{
    use PasskeyAuthenticatable;
}

Routes for login, reauth confirmation, and passkey management are registered automatically. No manual route definitions needed.

Opaque User Handles

WebAuthn requires a user handle to be passed to the authenticator during registration. Exposing your primary key there is a known security risk, so passkeys-server generates stable opaque handles instead. Your database IDs never leave your server.

This is done at the package level, so there is nothing to configure or remember to implement yourself.

Configurable Origins and Relying Party

Allowed origins and the relying party ID are configurable, which means the package works for apps served from multiple domains or subdomains. Publish the config and set them explicitly:

// config/passkeys-server.php
return [
    'relying_party_id' => env('PASSKEY_RP_ID', 'example.com'),
    'allowed_origins' => [
        env('APP_URL', 'https://example.com'),
    ],
];

AAGUID Catalog

The package ships with a bundled AAGUID catalog that auto-syncs. AAGUIDs are identifiers embedded in passkey attestations that tell you what kind of authenticator was used, a YubiKey, a platform authenticator, a password manager, and so on. Having this catalog available out of the box means you can surface that information to users without building the lookup yourself.

Events and Extensibility

Three events are dispatched across the passkey lifecycle:

PasskeyRegistered::class
PasskeyVerified::class
PasskeyDeleted::class

Beyond events, the package exposes extensible actions, response contracts, and models. If the default behavior does not fit your application, there are clean override points rather than a wall of config options.

Pairing With the Frontend Client

laravel/passkeys-server is built to work alongside the @laravel/passkeys npm package, which handles the browser-side WebAuthn ceremony. The two packages together cover the full registration and authentication flow without reaching for a third-party service.

Developers building applications where password fatigue is a real concern, or where passwordless authentication is a product requirement, should take a close look at this release. The full release notes are on GitHub.

#Laravel Passkeys Server
Stay Updated

Subscribe to our newsletter

Get latest news, tutorials, community articles and podcast episodes delivered to your inbox.

Weekly articles
We send a new issue of the newsletter every week on Friday.
No spam
We'll never share your email address and you can opt out at any time.