Using the REST API
Passlock includes a REST API, along with the @passlock/server library to manage your tenancy data. The REST API allows you to:
- Create, inspect, verify, and delete mailbox challenges for email one-time code flows
- Exchange a passkey registration or authentication code for an ExtendedPrincipal
- List passkeys in your vault
- Fetch a passkey from your vault
- Delete a passkey from your vault
- Update a passkey in your vault
- Prepare and complete passkey registration and authentication operations
Tenancy ID
Section titled “Tenancy ID”REST API calls operate on a specific tenancy. You will need your Tenancy ID, along with the relevant API Key. API endpoints are typically prefixed with the Tenancy ID, e.g.
GET https://api.passlock.dev/v2/{tenancyId}/passkeys/ HTTP/1.1import { listPasskeys } from "@passlock/server/unsafe";
const tenancyId = "myTenancyId";const apiKey = "myApiKey";
await listPasskeys({}, { tenancyId, apiKey });Authentication
Section titled “Authentication”Server-side REST API calls require authentication. Provide your tenancy-specific API Key via a Bearer authorization header:
GET https://api.passlock.dev/v2/{tenancyId}/passkeys/ HTTP/1.1Authorization: Bearer {apiKey}import { listPasskeys } from "@passlock/server/unsafe";
await listPasskeys({}, { tenancyId: "myTenancyId", apiKey: "myApiKey" });The passkey registration and authentication options and verification endpoints are browser-facing continuations of a prepared operation. They use the registrationToken, authenticationToken, or sessionToken issued earlier in the flow rather than a tenancy API key.
REST calls return JSON:
GET https://api.passlock.dev/v2/{tenancyId}/passkeys/ HTTP/1.1Authorization: Bearer {apiKey}Accept: application/jsonHTTP/1.1 200 OKContent-Type: application/jsonNot applicable, the server library handles JSON internally.
Endpoint summary
Section titled “Endpoint summary”GET /v2/{tenancyId}/principal/{code}exchanges a browser-issued code for anExtendedPrincipalGET /v2/{tenancyId}/passkeys/lists passkey summariesGET /v2/{tenancyId}/passkeys/{passkeyId}fetches a passkeyPATCH /v2/{tenancyId}/passkeys/{passkeyId}updates a passkey usernameDELETE /v2/{tenancyId}/passkeys/{passkeyId}deletes a passkeyPATCH /v2/{tenancyId}/users/{userId}/passkeys/updates username metadata for a user’s passkeysDELETE /v2/{tenancyId}/users/{userId}/passkeys/deletes a user’s passkeysPOST /v2/{tenancyId}/challengescreates a mailbox challengeGET /v2/{tenancyId}/challenges/{challengeId}reads a pending mailbox challengePOST /v2/{tenancyId}/challenges/verifyverifies a mailbox challengeDELETE /v2/{tenancyId}/challenges/{challengeId}deletes a mailbox challengePOST /v2/{tenancyId}/passkey/registration/prepareprepares a passkey registrationPOST /v2/{tenancyId}/passkey/registration/optionscreates WebAuthn registration optionsPOST /v2/{tenancyId}/passkey/registration/verificationverifies a registration responsePOST /v2/{tenancyId}/passkey/authentication/prepareprepares a passkey authenticationPOST /v2/{tenancyId}/passkey/authentication/optionscreates WebAuthn authentication optionsPOST /v2/{tenancyId}/passkey/authentication/verificationverifies an authentication response