Passkeys in Passwall

A passkey vault item stores your WebAuthn credential securely inside Passwall. It contains the cryptographic key pair (public and encrypted private key), the relying party information (website domain), and your user identity—all encrypted at rest with your vault key.

Unlike platform passkeys (stored by Apple, Google, or Microsoft), passkeys in Passwall sync across all your devices regardless of operating system. You can access them from the web vault, browser extension, or mobile app.

Follow these steps to create a passkey in your vault:

1. Navigate to Passkeys in the sidebar (or open an organization and select the Passkeys section).
2. Click New Passkey to open the creation dialog.
3. Fill in the required fields:
   • Name — A display name for the passkey (e.g., "Google Account").
   • Relying Party ID — The domain of the website (e.g., "google.com"). This must match exactly for authentication to work.
   • Credential ID — The unique identifier assigned by the authenticator (base64url-encoded).
4. Optionally fill in additional fields: username, display name, public key, private key, key algorithm, and notes.
5. Assign the passkey to a collection and optionally a folder for organization.
6. Click Create to save. Your passkey is encrypted and stored.

Passkeys follow the same organizational model as passwords and other vault items:

• Collections — Group passkeys by project, team, or purpose. Share entire collections with team members using role-based permissions.
• Folders — Personal folders within collections for fine-grained organization.
• Search — The passkeys table supports searching by name, relying party ID, relying party name, username, and display name.
• All Items view — Use the "All Items" page to see passkeys alongside all other vault item types with type-based filtering.

Passkeys in organization vaults can be shared through the collection sharing system:

• Add passkeys to a shared collection to grant team members access.
• Permission levels (view only, can edit, admin) control who can view, modify, or delete passkey items.
• The "Hide passwords" policy also applies to passkey private keys—team members with this restriction cannot view or copy private key material.
• When a team member is removed from a collection, they immediately lose access to all passkeys in that collection.

Passkeys in Passwall follow the same zero-knowledge encryption model as all other vault items:

• The private key material is encrypted with your organization key before being stored on the server. Passwall never has access to your decrypted private keys.
• Metadata (name, relying party ID) is stored encrypted as part of the item data.
• Validation is enforced at the schema level: credential IDs and public keys must be valid base64url strings, relying party IDs must be valid hostnames, AAGUIDs must be 32-character hex strings, and key algorithms are restricted to known COSE identifiers.
• The sign counter is tracked to detect potential credential cloning.

Passwall passkeys are available across all supported platforms:

• Web Vault — Full passkey management: create, edit, view, delete, organize, and share.
• Browser Extension — Quick access to passkey credentials during authentication flows.
• Mobile App — View and manage passkeys from iOS and Android with the same encrypted sync.

All platforms use the same data schema and encryption, ensuring your passkeys are consistent and up-to-date everywhere.