PHPackages datlechin/flarum-passkey - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. datlechin/flarum-passkey ActiveFlarum-extension[Authentication & Authorization](/categories/authentication) datlechin/flarum-passkey ======================== Sign in to Flarum with passkeys. Built on the W3C WebAuthn Level 3 standard. v2.0.0(3w ago)1181↓12.1%MITPHPPHP ^8.3CI passing Since May 9Pushed 3w agoCompare [ Source](https://github.com/datlechin/flarum-passkey)[ Packagist](https://packagist.org/packages/datlechin/flarum-passkey)[ Docs](https://nqd.vn)[ Fund](https://buymeacoffee.com/ngoquocdat)[ GitHub Sponsors](https://github.com/sponsors/datlechin)[ RSS](/packages/datlechin-flarum-passkey/feed)WikiDiscussions main Synced 1w ago READMEChangelog (4)Dependencies (5)Versions (6)Used By (0) Flarum Passkey ============== [](#flarum-passkey) [![License](https://camo.githubusercontent.com/7013272bd27ece47364536a221edb554cd69683b68a46fc0ee96881174c4214c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d626c75652e737667)](LICENSE.md)[![Latest Stable Version](https://camo.githubusercontent.com/2e9d478dc8bf92a8c21e9af63d9c9e4d90f0f68604ff1303026b485430c17389/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6461746c656368696e2f666c6172756d2d706173736b65792e737667)](https://packagist.org/packages/datlechin/flarum-passkey)[![Total Downloads](https://camo.githubusercontent.com/ec26b7d138566bd07f06c05b12eb2fee917bf7b7ab53b889009ef1744283f777/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6461746c656368696e2f666c6172756d2d706173736b65792e737667)](https://packagist.org/packages/datlechin/flarum-passkey) A [Flarum](https://flarum.org) extension that adds passkey sign-in alongside the existing password login. Passkeys live next to passwords, so existing accounts and recovery flows keep working. Built on W3C WebAuthn Level 3 with [`web-auth/webauthn-lib`](https://github.com/web-auth/webauthn-lib) on the server and [`@simplewebauthn/browser`](https://github.com/MasterKale/SimpleWebAuthn) in the browser. [![Sign in with passkey button on the login modal](screenshots/login-modal.png)](screenshots/login-modal.png) Features -------- [](#features) ### Sign in [](#sign-in) - Sign in with passkey button in the standard login modal. - Conditional UI / autofill: saved passkeys appear in the username field's autofill dropdown. - Discoverable credentials, so users can sign in without typing a username. - Cross-device hybrid (CTAP 2.2) for QR-code sign-in from a phone. - Built-in IP throttler on the login endpoint. ### Onboarding [](#onboarding) - Suggest a passkey modal after a successful password sign-in. Dismissable, with a 30-day cool-down. - Per-group "Require passkey" toggle on the standard Edit Group modal. Members of flagged groups see a sticky banner until they register one. ### Manage [](#manage) - Add, rename, revoke from the user security page. - Bulk Revoke all action that wipes every passkey on the account in one call. - Site moderators can revoke any user's passkeys via the API for support cases. - Authenticator type next to the device label (iCloud Keychain, Google Password Manager, Windows Hello, 1Password, Bitwarden, YubiKey 5, etc.) when the AAGUID is recognised. Falls back to a synced/device-only hint otherwise. [![Passkeys section on the user security tab](screenshots/passkeys-list.png)](screenshots/passkeys-list.png) Add passkey modalSuggest passkey after a password sign-in[![Add passkey modal](screenshots/add-passkey-modal.png)](screenshots/add-passkey-modal.png)[![Suggest passkey after a password sign-in](screenshots/suggest-modal.png)](screenshots/suggest-modal.png)### Security signals [](#security-signals) - Counter regression detection on every assertion, with a notification email and a `PasskeyCounterRegression` event. This is the canonical clone-detection signal in WebAuthn. - BS flag change detection: the owner is mailed when an authenticator transitions between synced and device-only. - Notification email on every revoke (single or bulk). - All emails are queued via Flarum's `SendInformationalEmailJob`. ### Admin [](#admin) - Settings page: relying party id, display name, related origins, user verification, attestation, throttle. - Per-group "Require passkey" toggle on the standard Edit Group modal. - W3C related origins served at `/.well-known/webauthn`. [![Admin settings page](screenshots/admin-settings.png)](screenshots/admin-settings.png) [![Require passkey toggle inside the Edit Group modal](screenshots/group-modal.png)](screenshots/group-modal.png) ### Other [](#other) - W3C WebAuthn Level 3, FIDO2. - Optional `flarum/gdpr` integration: passkeys are exported on data request, and revoked when the user is anonymised or deleted. - Locales: English, Vietnamese. Installation ------------ [](#installation) ``` composer require datlechin/flarum-passkey:"*" php flarum migrate php flarum cache:clear ``` Updating -------- [](#updating) ``` composer update datlechin/flarum-passkey:"*" php flarum migrate php flarum cache:clear ``` Configuration ------------- [](#configuration) Open `Admin → Extensions → Passkey`. SettingDefaultWhat it doesRelying Party ID(auto from request host)DNS suffix that scopes the passkey. Changing it invalidates every existing passkey.Relying Party display nameforum titleName shown in the browser passkey prompt.Related originsemptyOther origins permitted to perform a passkey ceremony, in combination with the well-known document.User verificationpreferredWhether to require biometric/PIN.Attestation conveyancenoneWhether to ask the authenticator for an attestation chain. Most consumer forums leave this at `none`.Login attempts per minute per IP10Throttler on `/api/passkey/login`.The "Require passkey" toggle for each group lives on the Edit Group modal in `Admin → Permissions`. ### Relying Party ID [](#relying-party-id) The RP ID is the part of the origin that scopes a passkey. It must be either the exact host or a registrable suffix of it (`forum.example.com`, or `example.com` if you want passkeys to work across all subdomains). Changing the RP ID after users have registered passkeys silently invalidates every saved credential, because the browser hashes the RP ID into each credential's identity. Confirm before saving, and prefer the empty default unless you have a specific cross-subdomain requirement. ### Related origins [](#related-origins) If the same Flarum is reachable from more than one origin (for example, a forum at `forum.example.com` embedded in a portal at `app.example.com`), list each non-canonical origin in this setting. The extension serves the W3C document at `/.well-known/webauthn` so browsers performing a ceremony from a related origin can confirm they are allowed to reach the configured RP ID. ### Recovery [](#recovery) If a user loses every passkey, they sign in with their password and the existing forgot-password flow handles forgotten passwords. The extension does not change that path. If a group has "Require passkey" turned on and an admin needs to recover a stuck user, the admin can revoke that user's passkeys via the API. The sticky banner reappears with a fresh registration prompt on next page load. Events ------ [](#events) Listeners subscribe via the standard Flarum event bus. EventFired when`Datlechin\Passkey\Event\PasskeyRegistered`A new passkey has been verified and persisted.`Datlechin\Passkey\Event\PasskeyRevoked`A single passkey has been deleted via the API.`Datlechin\Passkey\Event\PasskeyBulkRevoked`The owner used the bulk-revoke action. Carries the count, fires once.`Datlechin\Passkey\Event\PasskeyUsed`A successful sign-in. `backupStateChanged` flags credentials whose BS bit moved.`Datlechin\Passkey\Event\PasskeyCounterRegression`An assertion failed the signature counter check.`Flarum\User\Event\LoggedIn`Also fires on a successful passkey sign-in.The web-auth library also emits `Webauthn\Event\BackupEligibilityChangedEvent` and `Webauthn\Event\BackupStatusChangedEvent` through the same bus. Development ----------- [](#development) ``` cd packages/flarum-passkey composer install cd js && npm install && npm run dev ``` Integration tests: ``` composer test:setup composer test:integration ``` PHPStan: ``` composer analyse:phpstan ``` Sponsors -------- [](#sponsors) If this extension is useful to you, you can sponsor the work via [GitHub Sponsors](https://github.com/sponsors/datlechin) or [Buy Me a Coffee](https://buymeacoffee.com/ngoquocdat). Links ----- [](#links) - [Packagist](https://packagist.org/packages/datlechin/flarum-passkey) - [GitHub](https://github.com/datlechin/flarum-passkey) - [Discuss](https://discuss.flarum.org/d/39230) - [W3C WebAuthn Level 3](https://www.w3.org/TR/webauthn-3/) - [FIDO Alliance Passkeys](https://fidoalliance.org/passkeys/) ### Health Score 46 — FairBetter than 92% of packages Maintenance94 Actively maintained with recent releases Popularity17 Limited adoption so far Community9 Small or concentrated contributor base Maturity52 Maturing project, gaining track record Bus Factor1 Top contributor holds 83.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1 days Total 5 Last Release 25d ago Major Versions v1.1.0 → v2.0.02026-05-15 PHP version history (2 changes)v1.0.0PHP ^8.3 1.x-devPHP ^8.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/b5dca3124d040fb5f1e59100485f3a23e42e4e4b1c6d89c5d4cd3e79d95f574e?d=identicon)[Ngô Quốc Đạt](/maintainers/Ng%C3%B4%20Qu%E1%BB%91c%20%C4%90%E1%BA%A1t) --- Top Contributors [![datlechin](https://avatars.githubusercontent.com/u/56961917?v=4)](https://github.com/datlechin "datlechin (15 commits)")[![flarum-bot](https://avatars.githubusercontent.com/u/39334649?v=4)](https://github.com/flarum-bot "flarum-bot (2 commits)")[![ImgBotApp](https://avatars.githubusercontent.com/u/31427850?v=4)](https://github.com/ImgBotApp "ImgBotApp (1 commits)") --- Tags authenticationfido2flarumflarum-extensionpasskeypasswordlesswebauthnsecurityAuthenticationFIDO2webauthnPasswordlesspasskey ### Embed Badge ![Health badge](/badges/datlechin-flarum-passkey/health.svg) ``` [![Health](https://phpackages.com/badges/datlechin-flarum-passkey/health.svg)](https://phpackages.com/packages/datlechin-flarum-passkey) ``` ### Alternatives [web-auth/webauthn-symfony-bundle FIDO2/Webauthn Security Bundle For Symfony 66474.5k8](/packages/web-auth-webauthn-symfony-bundle)[asbiin/laravel-webauthn Laravel Webauthn support 312608.8k](/packages/asbiin-laravel-webauthn)[rawilk/profile-filament-plugin Profile & MFA starter kit for filament. 3913.7k](/packages/rawilk-profile-filament-plugin)[virgil/crypto Virgil is a stack of security libraries (ECIES with Crypto Agility wrapped in Virgil Cryptogram) and all the necessary infrastructure to enable seamless, end-to-end encryption for any application, platform or device. See below for currently available languages and platforms. Get in touch with us to get preview access to our key infrastructure. 3318.9k2](/packages/virgil-crypto)[virgil/sdk Virgil is a stack of security libraries (ECIES with Crypto Agility wrapped in Virgil Cryptogram) and all the necessary infrastructure to enable seamless, end-to-end encryption for any application, platform or device. See below for currently available languages and platforms. Get in touch with us to get preview access to our key infrastructure. 1017.2k](/packages/virgil-sdk) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)