PHPackages laravel/passkeys - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Framework](/categories/framework) 4. / 5. laravel/passkeys ActiveLibrary[Framework](/categories/framework) laravel/passkeys ================ Passwordless authentication using WebAuthn/passkeys for Laravel v0.2.1(3w ago)951.1M↓17.3%7[1 issues](https://github.com/laravel/passkeys-server/issues)[3 PRs](https://github.com/laravel/passkeys-server/pulls)6MITPHPPHP ^8.2CI passing Since Apr 22Pushed 2d ago1 watchersCompare [ Source](https://github.com/laravel/passkeys-server)[ Packagist](https://packagist.org/packages/laravel/passkeys)[ Docs](https://github.com/laravel/passkeys-server)[ RSS](/packages/laravel-passkeys/feed)WikiDiscussions main Synced 1w ago READMEChangelog (3)Dependencies (11)Versions (7)Used By (6) Laravel Passkeys ================ [](#laravel-passkeys) Passwordless authentication using WebAuthn/passkeys for Laravel. Installation ------------ [](#installation) ``` composer require laravel/passkeys ``` Publish and run the migrations: ``` php artisan vendor:publish --tag=passkeys-migrations php artisan migrate ``` Optionally publish the config file: ``` php artisan vendor:publish --tag=passkeys-config ``` Add the `PasskeyAuthenticatable` trait to your User model and implement the `PasskeyUser` contract: ``` use Laravel\Passkeys\Contracts\PasskeyUser; use Laravel\Passkeys\PasskeyAuthenticatable; class User extends Authenticatable implements PasskeyUser { use PasskeyAuthenticatable; } ``` The trait assumes a standard users schema with `name` and `email` columns, which authenticators show in their UI during registration and account selection. `displayName` falls back from `name` to `email` to the auth identifier, and `username` falls back from `email` to the auth identifier — override `getPasskeyDisplayName()` and `getPasskeyUsername()` if you want different values. If you want to use custom models, override them in a service provider: ``` use App\Models\User; use App\Models\Passkey; use Laravel\Passkeys\Passkeys; public function boot(): void { Passkeys::useUserModel(User::class); Passkeys::usePasskeyModel(Passkey::class); } ``` JavaScript Client ----------------- [](#javascript-client) This package is designed to work with the [`@laravel/passkeys`](https://github.com/laravel/passkeys) npm package: ``` npm install @laravel/passkeys ``` ``` import { Passkeys } from '@laravel/passkeys' // Registration (authenticated user) await Passkeys.register({ name: 'My MacBook' }) // Verification (login) await Passkeys.verify() ``` Routes ------ [](#routes) The package automatically registers the following routes: ### Guest Routes (Login) [](#guest-routes-login) - `GET /passkeys/login/options` - Get login options - `POST /passkeys/login` - Verify passkey and authenticate ### Authenticated Routes (Confirmation) [](#authenticated-routes-confirmation) - `GET /passkeys/confirm/options` - Get confirmation options - `POST /passkeys/confirm` - Confirm password via passkey ### Authenticated Routes (Management) [](#authenticated-routes-management) - `GET /user/passkeys/options` - Get registration options - `POST /user/passkeys` - Store new passkey - `DELETE /user/passkeys/{passkey}` - Delete passkey Configuration ------------- [](#configuration) ``` // config/passkeys.php return [ // Relying Party ID (defaults to APP_URL host) 'relying_party_id' => parse_url(config('app.url'), PHP_URL_HOST), // Origins allowed to complete WebAuthn ceremonies 'allowed_origins' => [config('app.url')], // Secret for deriving stable opaque user handles 'user_handle_secret' => env('PASSKEYS_USER_HANDLE_SECRET', config('app.key')), // WebAuthn timeout in milliseconds 'timeout' => 60000, // Authentication guard 'guard' => 'web', // Routes middleware 'middleware' => ['web'], // Middleware applied to passkey management routes (set to [] to disable) 'management_middleware' => ['password.confirm'], // Throttle middleware (null to disable) 'throttle' => 'throttle:6,1', // Redirect after login 'redirect' => '/', ]; ``` Events ------ [](#events) The package fires the following events: - `PasskeyRegistered` - When a new passkey is registered - `PasskeyVerified` - When a user verifies with a passkey - `PasskeyDeleted` - When a passkey is deleted Customization ------------- [](#customization) ### Login Authorization Callback [](#login-authorization-callback) You may block login after a valid passkey assertion (for example, suspended/banned accounts): ``` use Illuminate\Http\Request; use Illuminate\Validation\ValidationException; use Laravel\Passkeys\Contracts\PasskeyUser; use Laravel\Passkeys\Passkey; use Laravel\Passkeys\Passkeys; Passkeys::authorizeLoginUsing(function (Request $request, PasskeyUser $user, Passkey $passkey): bool { if ($user->is_banned) { throw ValidationException::withMessages([ 'credential' => ['This account has been banned.'], ]); } return true; }); ``` Return `false` to stop authentication, or throw your own `ValidationException` for a custom error message. ### User-Bound Verification (Reauth / 2FA Step) [](#user-bound-verification-reauth--2fa-step) Use `GenerateVerificationOptions` with an authenticated user to scope allowed credentials to that user, then pass the same user into `VerifyPasskey` to enforce ownership: ``` use Laravel\Passkeys\Actions\GenerateVerificationOptions; use Laravel\Passkeys\Actions\VerifyPasskey; $options = app(GenerateVerificationOptions::class)($request->user()); $passkey = app(VerifyPasskey::class)( $request->credential(), $options, $request->user(), ); ``` This verifies the passkey without logging the user in again, which is useful for sensitive-action confirmation flows. ### Custom Actions [](#custom-actions) Actions handle the core WebAuthn logic. Extend an action and bind it in your service provider: ``` use Laravel\Passkeys\Actions\GenerateRegistrationOptions; use Webauthn\AuthenticatorSelectionCriteria; class CustomRegistrationOptions extends GenerateRegistrationOptions { public function authenticatorSelection(): AuthenticatorSelectionCriteria { // Only allow platform authenticators (Touch ID, Face ID, Windows Hello) return AuthenticatorSelectionCriteria::create( authenticatorAttachment: AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM, userVerification: AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED, residentKey: AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_REQUIRED, ); } } // In your service provider $this->app->bind(GenerateRegistrationOptions::class, CustomRegistrationOptions::class); ``` Available actions: - `GenerateRegistrationOptions` - `GenerateVerificationOptions` - `StorePasskey` - `VerifyPasskey` - `DeletePasskey` ### Custom Responses [](#custom-responses) Bind your own response classes to customize what happens after passkey operations: ``` use Laravel\Passkeys\Contracts\PasskeyLoginResponse; class MyLoginResponse implements PasskeyLoginResponse { public function toResponse($request) { return response()->json(['redirect' => '/dashboard']); } } // In your service provider $this->app->singleton(PasskeyLoginResponse::class, MyLoginResponse::class); ``` Available response contracts: - `PasskeyLoginResponse` - After successful login - `PasskeyConfirmationResponse` - After successful confirmation - `PasskeyRegistrationResponse` - After successful registration - `PasskeyDeletedResponse` - After passkey deletion ### Custom Passkey Model [](#custom-passkey-model) Extend the base model: ``` use Laravel\Passkeys\Passkey as BasePasskey; class Passkey extends BasePasskey { protected static function booted(): void { static::created(function ($passkey) { // Custom logic when passkey is created }); } } ``` ### Disable Routes [](#disable-routes) To register your own routes: ``` use Laravel\Passkeys\Passkeys; Passkeys::ignoreRoutes(); ``` Testing ------- [](#testing) ``` composer test ``` License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 57 — FairBetter than 98% of packages Maintenance97 Actively maintained with recent releases Popularity57 Moderate usage in the ecosystem Community24 Small or concentrated contributor base Maturity40 Maturing project, gaining track record Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~13 days Total 3 Last Release 22d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/463230?v=4)[Taylor Otwell](/maintainers/taylorotwell)[@taylorotwell](https://github.com/taylorotwell) --- Top Contributors [![benbjurstrom](https://avatars.githubusercontent.com/u/12499093?v=4)](https://github.com/benbjurstrom "benbjurstrom (38 commits)")[![joetannenbaum](https://avatars.githubusercontent.com/u/2702148?v=4)](https://github.com/joetannenbaum "joetannenbaum (37 commits)")[![nunomaduro](https://avatars.githubusercontent.com/u/5457236?v=4)](https://github.com/nunomaduro "nunomaduro (4 commits)")[![taylorotwell](https://avatars.githubusercontent.com/u/463230?v=4)](https://github.com/taylorotwell "taylorotwell (2 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (1 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (1 commits)")[![eshimischi](https://avatars.githubusercontent.com/u/983201?v=4)](https://github.com/eshimischi "eshimischi (1 commits)") --- Tags laravelAuthenticationwebauthnPasswordlesspasskeys ### Code Quality TestsPest Static AnalysisPHPStan, Rector Code StyleLaravel Pint Type Coverage Yes ### Embed Badge ![Health badge](/badges/laravel-passkeys/health.svg) ``` [![Health](https://phpackages.com/badges/laravel-passkeys/health.svg)](https://phpackages.com/packages/laravel-passkeys) ``` ### Alternatives [psalm/plugin-laravel Psalm plugin for Laravel 3325.1M337](/packages/psalm-plugin-laravel)[laravel/cashier Laravel Cashier provides an expressive, fluent interface to Stripe's subscription billing services. 2.5k28.4M134](/packages/laravel-cashier)[laravel/mcp Rapidly build MCP servers for your Laravel applications. 76318.2M110](/packages/laravel-mcp)[laravel/pulse Laravel Pulse is a real-time application performance monitoring tool and dashboard for your Laravel application. 1.7k14.1M120](/packages/laravel-pulse)[larastan/larastan Larastan - Discover bugs in your code without running it. A phpstan/phpstan extension for Laravel 6.4k51.0M7.4k](/packages/larastan-larastan)[laravel/cashier-paddle Cashier Paddle provides an expressive, fluent interface to Paddle's subscription billing services. 268880.7k3](/packages/laravel-cashier-paddle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)