@joetannenbaum has shipped the initial release of laravel/passkeys-server, a first-party Laravel package that brings WebAuthn passkey authentication to your application. This is v0.1.0, a ground-up implementation designed to pair with the @laravel/passkeys npm client on the frontend.
The entry point is the PasskeyAuthenticatable trait. Add it to your User model and the package takes care of the rest.
1use Laravel\PasskeysServer\PasskeyAuthenticatable;2 3class User extends Authenticatable4{5 use PasskeyAuthenticatable;6}Routes for login, reauth confirmation, and passkey management are registered automatically. No manual route definitions needed.
WebAuthn requires a user handle to be passed to the authenticator during registration. Exposing your primary key there is a known security risk, so passkeys-server generates stable opaque handles instead. Your database IDs never leave your server.
This is done at the package level, so there is nothing to configure or remember to implement yourself.
Allowed origins and the relying party ID are configurable, which means the package works for apps served from multiple domains or subdomains. Publish the config and set them explicitly:
1// config/passkeys-server.php2return [3 'relying_party_id' => env('PASSKEY_RP_ID', 'example.com'),4 'allowed_origins' => [5 env('APP_URL', 'https://example.com'),6 ],7];The package ships with a bundled AAGUID catalog that auto-syncs. AAGUIDs are identifiers embedded in passkey attestations that tell you what kind of authenticator was used, a YubiKey, a platform authenticator, a password manager, and so on. Having this catalog available out of the box means you can surface that information to users without building the lookup yourself.
Three events are dispatched across the passkey lifecycle:
1PasskeyRegistered::class2PasskeyVerified::class3PasskeyDeleted::classBeyond events, the package exposes extensible actions, response contracts, and models. If the default behavior does not fit your application, there are clean override points rather than a wall of config options.
laravel/passkeys-server is built to work alongside the @laravel/passkeys npm package, which handles the browser-side WebAuthn ceremony. The two packages together cover the full registration and authentication flow without reaching for a third-party service.
Developers building applications where password fatigue is a real concern, or where passwordless authentication is a product requirement, should take a close look at this release. The full release notes are on GitHub.
If you enjoyed this article, please consider supporting our work for as low as $5 / month.
Sponsor
Written by
Writing and maintaining @LaravelMagazine. Host of "The Laravel Magazine Podcast". Pronouns: vi/vim.
Get latest news, tutorials, community articles and podcast episodes delivered to your inbox.