惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
量子位
The Cloudflare Blog
美团技术团队
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Proofpoint News Feed
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
博客园 - 司徒正美
宝玉的分享
宝玉的分享
T
Threatpost
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
T
Threat Research - Cisco Blogs
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
博客园 - 聂微东
A
Arctic Wolf
I
Intezer
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
爱范儿
爱范儿
Hugging Face - Blog
Hugging Face - Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
小众软件
小众软件
T
Tailwind CSS Blog
The Hacker News
The Hacker News
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
TaoSecurity Blog
TaoSecurity Blog
Project Zero
Project Zero
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cloudbric
Cloudbric
雷峰网
雷峰网
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
大猫的无限游戏
大猫的无限游戏
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Troy Hunt's Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V2EX - 技术
V2EX - 技术
The GitHub Blog
The GitHub Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog

Clerk Blog

Going to production with Clerk Deploy Clerk Init: The fastest way to start a new project Introducing Clerk CLI Middleware-based route protection bypass Postmortem: Clerk System Outage (March 10, 2026) Clerk for the AI era Add API Key support to your SaaS in minutes Postmortem: Clerk System Outage (February 19, 2026) Using Clerk in a React Native app Postmortem: DNS Provider Outage (February 10, 2026) Clerk ranked #4 fastest-growing software vendor on Ramp’s December 2025 list How do I handle JWT verification in Next.js? Committing to Agent Identity: Clerk raises $50m Series C from Menlo and Anthropic’s Anthology Fund What is the best way to handle authentication in Next.js App Router? Postmortem: Database Incident (September 14–18, 2025) How do I add authentication to a Next.js app? Introducing Free Trials in Clerk Billing Postmortem: August 28, 2025 - elevated API latency and errors Introducing Mosaic: Bring Your Brand to Every Authentication Flow Multi-tenant authentication: What you need to know (and how Clerk helps) What are the risks and challenges of multi-tenancy? Resilience in Practice: Regional Failover at Clerk Build a Cross-Platform B2B App with Clerk, Expo, and Supabase Highlights from the MiduDev/Clerk Hackathon Add multi-tenancy to an app built with Clerk, Lovable, and Supabase How to build an AI coding rules app with Clerk, Lovable, and Supabase How to Build Multi-Tenant Authentication with Clerk Choosing the right SaaS architecture: Multi-Tenant vs. Single-Tenant Postmortem: June 26, 2025 service outage How to Design a Multi-Tenant SaaS Architecture What is multi-tenancy and why it matters for B2B SaaS How OAuth Works Synchronize user data from Clerk to Supabase Add subscriptions to your SaaS with Clerk Billing Getting started with Clerk Billing Multi-tenant analytics with Tinybird and Clerk How Huntr Migrated 250K Users to Clerk: A Scalable Auth Solution for Startups How to take Clerk to Production How to take your Clerk application to production A practical guide to testing Clerk Next.js applications Implementing multi-tenancy into a Supabase app with Clerk How Clerk integrates with a Next.js application using Supabase How Clerk integrates with Supabase Build a blog with tRPC, Prisma, Next.js and Clerk How to enrich PostHog events with Clerk user data How to build a secure project management platform with Next.js, Clerk, and Neon Validate your SaaS idea while building an audience Postmortem: February 6, 2025 service outage Implement Role-Based Access Control in Next.js 15 Build a Next.js sign-up form with React Hook Form Build a Next.js login page template How to implement Google authentication in Next.js 15 What is middleware in Next.js? How to customize Next.js metadata How to set environment variables in Node.js Building a React Login Page Template How to implement per-user OAuth scopes with Clerk Using Clerk SSO to access Google Calendar and other service data Streamline enterprise customer onboarding with SAML and Clerk Clerk launches EASIE SSO and eliminates SSO fees How to secure Liveblocks Rooms with Clerk in Next.js Securing Node.js Express APIs with Clerk and React Combining the benefits of session tokens and JWTs Build a task manager with Next.js, Supabase, and Clerk Comparing Clerk Webhooks vs Backend API Automate Neon schema changes with Drizzle and GitHub Actions A guide to reading authenticated user data from Clerk Role based access control with Clerk Organizations Mitigating OAuth’s recently discovered Open Response Type vulnerability Per-user B2B monetization with Stripe and Clerk Organizations Build a team-based task manager with Next.js, Neon, and Clerk Building a Hybrid Sign-Up/Subscribe Form with Stripe Elements Welcoming Colin from Zod as our inaugural Open Source Fellow Build a modern authenticated chat application with Next.js, Ably, and Clerk Build a waitlist with Clerk user metadata How to use Clerk with PostHog Identify in Next.js How to secure API Gateway using JWT and Lambda Authorizers with Clerk What are passkeys and how do they work? Comparing Authentication in React.js vs. Next.js How to Add an Onboarding Flow for your Application with Clerk Create Your Own Custom User Menu with Radix - Part 2 Introducing Webhook Workflows with Inngest & Svix Clerk raises $30M Series B from CRV and Stripe Clerk in 2023: A Year in Review Build a Movie Emoji Quiz App with Remix, Fauna, and Clerk Ultimate Guide to Magic Link Authentication Create Your Own Custom User Menu with Radix Introducing has(), protect(), and <Protect> Updated Pricing: 10,000 MAUs Free, and a new “Pro Plan” Next.js Authentication with Clerk: Streamlined SSR Handling Clerk Webhooks: Data Sync with Convex Exploring Clerk Metadata with Stripe Webhooks The Ultimate Guide to Next.js Authentication Empower Your Support Team With User Impersonation Clerk Webhooks: Getting Started A Complete Guide to Session Management in Next.js The Advanced Guide to Passwordless Authentication in Next.js How We Roll – Chapter 10: Roundup How We Roll – Chapter 9: Infrastructure Password-Based Authentication in Next.js
How do I implement passkeys in Next.js?
Brian Morrison II · 2025-12-09 · via Clerk Blog

Passkeys promise a future where you never have to remember a password again and where phishing emails and credential stuffing attacks stop working.

If you're building or scaling a product, they reduce risk, lower support load, and ship a sign-in experience that doesn't feel like a tax on conversion. This article unpacks what passkeys are, why they're more secure than traditional authentication methods, and how they fit into today's browser and device ecosystem.

We'll then walk through a concrete Next.js implementation, focusing on both the registration flow (creating a passkey) and the authentication flow (signing in with it). You'll see how the browser, authenticator, and server coordinate using WebAuthn challenges, and how to wire it into a practical, end-to-end passkey experience.

TL;DR

  • Passkeys replace passwords with public-key cryptography: the device generates a key pair, keeps the private key locked behind biometrics or a PIN, and the server stores only the public key.
  • During sign-in, the server issues a one-time challenge that the device signs, proving possession without transmitting secrets.
  • Passkeys are phishing-resistant (private key only responds to the original domain) and remove reusable credentials from your database.
  • In Next.js, you can implement passkeys manually using the SimpleWebAuthn library with two round-trips each for registration and authentication.
  • Or skip the complexity: Clerk supports passkeys with a single dashboard toggle and one component.

What are passkeys?

Passkeys are a modern, phishing-resistant form of passwordless authentication that replaces traditional passwords with cryptographic credentials tied to a user's device and unlocked locally via biometric authentication (for example, Face ID, Touch ID, or Windows Hello) or a device PIN. When a user registers, the device generates a public/private key pair. The server stores only the public key and challenges the device to prove possession of the private key during sign-in, so the private key never leaves the device. Passkeys provide multi-factor assurance because they combine something-you-have (the device) with something-you-are or something-you-know (biometric or PIN that unlocks the key), and they reduce server-side risk since attackers have no reusable secrets to steal.

Key benefits of passkey authentication

  • Passwordless authentication: No passwords to create, remember, or leak.
  • MFA built in by default: Device possession + local biometric or PIN unlock (or security key).
  • Phishing-resistant: Private keys only sign challenges for the registering origin.
  • Reduced server liability: Servers store only public keys, not reusable secrets.
  • Simpler user experience: Faster sign-in flows and fewer account recovery calls.
  • Cross-device sync: Platforms often let users sync passkeys between their devices for seamless access (implementation and privacy depend on the vendor).
  • Attestation & device validation: Attestation is cryptographic proof that an authenticator provides about its identity and security properties (e.g., make, model, certification level). This optional feature helps servers verify authenticator properties during registration.
  • Interoperability: Major browsers and platforms support passkeys via WebAuthn and CTAP standards.

Implementing passkeys in Next.js with WebAuthn

Building a complete passkeys implementation in Next.js from scratch would require many steps. Instead, we'll dive into a pre-built implementation and cover the important parts of the application as they pertain to passkeys to provide a clear understanding of how they work. The goal is to give you enough detail to evaluate effort and risk for your team, not to turn you into a security engineer.

The code for this article is available on GitHub. Feel free to review it in your browser or clone the repo to your machine to explore it. We'll cover the code in two sections:

  • Registration will explain how a new user gets signed up with an application using a passkey.
  • Authentication explains how a returning user signs in with their passkey.

This guide assumes familiarity with Next.js App Router, basic TypeScript, and a database for storing user credentials. The demo uses Postgres, but any database works.

Passkey registration flow

Before looking at the code, let's cover the workflow at a high level. The following diagram visually shows how areas of the application communicate with each other. Additional details for each step of the flow can be found below the image.

Passkeys registration sequence diagram

  1. User enters username - The user types a username (and other data required for sign-up) into the registration form in the browser.
  2. Browser requests registration options - The browser sends a request to the server asking for WebAuthn registration options for this user.
  3. Server prepares options - The server creates the user record, generates a fresh random challenge, configures passkey settings, and returns the registration options to the browser.
  4. Browser shows native registration prompt - The browser or OS shows a built-in prompt such as "Create a passkey" or "Use Face ID to register".
  5. User approves with biometrics or a security key - The user completes the biometric check or interacts with their security key so the authenticator can proceed.
  6. Authenticator creates a new key pair - The authenticator creates a new public/private key pair for this site. The private key stays on the device and is never sent to the server.
  7. Browser sends credential to the server - The browser sends the new credential data (including the public key and associated identifiers) back to the server.
  8. Server validates and stores the credential - The server validates the challenge and signature, then stores the credential ID, public key, and metadata so this passkey can be used for future logins.
  9. Registration completes - The server responds with success, and the browser updates the UI to indicate that passkey registration is complete.

The client-side registration component

Now that you understand how the workflow operates, let's dive into the code, starting with the PasskeyRegister component. The demo application mounts this component on the homepage and allows the user to enter their desired username and a display name. When the user submits the form, the component first checks the current browser for WebAuthn support, then sends the data to the /api/register/options endpoint.

The code uses the SimpleWebAuthn library to handle the WebAuthn protocol details:

src/components/PasskeyRegister.tsx

Generating passkey registration options on the server

When the server receives the form data, it creates the user record in the database. Using the @simplewebauthn/server package, the server creates a series of options and stores a cryptographic challenge in the database. This challenge is a high-entropy, single-use string that the next step of the process uses.

These options define the relying party and user identity, configure how the authenticator should behave (for example, preferring passkey-style resident credentials and user verification), and use the timeout and generated challenge to control how long and under what conditions the client (typically the user's browser) will allow the registration to continue.

The server returns the object created from the options to the client along with the challenge.

src/app/api/register/options/route.ts

The client receives the challenge and generates a public/private key pair. The private key is stored on the device that created it and never leaves that device. It is used to digitally sign the challenge that was received from the server. The client also creates a "credential ID," which uniquely identifies that device and is stored in the database, enabling a single account to register multiple passkeys if needed.

Once complete, the client sends the signed challenge, public key, and credential ID back to the server. The startRegistration function provided by @simplewebauthn/browser triggers this second trip to the server (shown in the client-side code above).

Verifying the passkey registration response

When the server receives this payload, it retrieves the user and challenge from the database. Using the provided public key, the server verifies the signature and (assuming the verification succeeds) stores that public key as a passkey for the user.

src/app/api/register/verify/route.ts

Once this process completes, the server deletes the challenge from the database. Since each challenge has an expiration time (60 seconds in this demo), the entire flow must complete within the specified time; otherwise, it becomes invalid.

Passkey authentication flow

Authenticating with passkeys follows a similar flow to registration. While the details of each step are different, the number of steps involved in authentication is the same:

Passkeys authentication sequence diagram

  1. User enters username - The user types their username into the sign-in form in the browser.
  2. Browser requests authentication options - The browser sends a request to the server asking for WebAuthn options (including a fresh challenge) for this username.
  3. Server prepares options - The server looks up the user, finds their registered passkeys, generates a new random challenge, and sends the authentication options back to the browser.
  4. Browser shows native authentication prompt - The browser or OS shows a built-in prompt such as "Sign in with Face ID?" or "Use your security key".
  5. User approves with a passkey - The user completes the biometric check or uses their security key. The authenticator unlocks the private key stored on the device.
  6. Authenticator signs the challenge - The authenticator signs the challenge (and related data) with the private key. The private key never leaves the device.
  7. Browser sends the signed result to the server - The browser sends the credential data (including the signature and identifiers) to the server for verification.
  8. Server verifies the response - The server looks up the matching public key, checks that the challenge is valid and unused, and verifies the signature and counter.
  9. User is signed in - If everything checks out, the server responds with success and the browser updates the UI to show that the user is signed in (and typically establishes a session or issues a token).

The client-side authentication component

In the PasskeyAuth component, the user enters their username and submits the form. The component sends this data to the /api/auth/options endpoint.

src/components/PasskeyAuth.tsx

Generating passkey authentication options on the server

On the server, the user is retrieved from the database along with their registered passkeys. The server creates authentication options using details for each of the user's credentials (allowing the use of any passkeys the user owns), and stores the challenge in the database before sending the options back to the client.

src/app/api/auth/options/route.ts

Verifying the passkey authentication response

Assuming the client has access to one of the registered passkeys, the private key associated with that passkey signs the challenge and sends the signature back to the server for verification. As with registration, @simplewebauthn/browser handles the second trip back to the server, this time with the startAuthentication method. Once the client signs the challenge, it sends the signed challenge to the /api/auth/verify endpoint for verification.

src/app/api/auth/verify/route.ts

A verified signature indicates the user is authenticated. At this point, you'd typically create a session and set a cookie or return a JWT.

Clerk makes passkeys simple

Clerk supports passkeys out of the box with a simple toggle in our dashboard:

The Clerk dashboard with the passkeys toggle highlighted

Once enabled, any mounted <SignIn /> or <SignUp /> components will present your users with an option to register or authenticate using passkeys, supporting the workflows described above without building, testing, or maintaining code.

Sign In form with passkeys option highlighted

All it takes is a single line of code in your project to render this form:

For growth-minded engineering teams, this is a build‑vs‑buy decision: do you want engineers investing cycles in auth primitives, or in features that move activation, retention, and revenue?

Beyond passwordless: Complete User Management

Furthermore, our platform offers more than sign-up and sign-in using passkeys. You can enable additional authentication options your users expect (email codes, social sign in, etc.), and you don't have to own the edge cases around recovery, device changes, and evolving platform behavior.

On top of authentication, you get an easy way for your users to self-serve their needs, from user profile details to password resets. For B2B apps, you can use Organizations to enable multi-tenancy support for your application in a few lines of code, while supporting passkeys across all tenants of your application, a requirement that often shows up in enterprise evaluations sooner than founders expect.

Conclusion

Passkeys remove much of the pain and risk of authentication by replacing brittle passwords with strong, origin-bound cryptography. By leaning on platform authenticators and standards like WebAuthn and FIDO2, you get phishing resistance and built-in MFA without making users jump through extra hoops, and you reduce the blast radius of credential theft for your company.

In this tutorial, we explored what passkeys are, how the registration and authentication flows work, and how to wire them up end-to-end in a Next.js app using SimpleWebAuthn. We also explored how simple it is to add passkeys to your application with Clerk, while reducing effort around testing and maintenance. To get started with Clerk, check out our quickstart guide or learn more about passkey configuration options.