Advanced

Auth Actions

Pluggable authentication actions that control what happens after a successful passkey login.

Auth actions are classes responsible for creating an authenticated session or issuing a token after a successful passkey verification on POST /api/passkeys/login. They decouple the authentication mechanism from the WebAuthn verification logic, letting you swap between Sanctum, Passport, web sessions, or any custom strategy via configuration.

Contract

Every auth action must implement the PasskeyAuthAction contract:

namespace Xefi\LaravelPasskey\Contracts;

use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Xefi\LaravelPasskey\Models\Passkey;

interface PasskeyAuthAction
{
    public function __invoke(Passkey $passkey, Request $request): JsonResponse;
}

The action receives the verified Passkey model (with its passkeeable relation available) and the current request. It must return a JsonResponse.

Built-in actions

`CreateWebSessionAction` (default)

Logs the user into the default web guard using Auth::login(). Suitable for session-based applications.

Requires: nothing extra

Response:

{
  "user": {
    "id": 42,
    "name": "John Doe",
    "email": "john@example.com"
  }
}

`CreateSanctumTokenAction`

Creates a Laravel Sanctum personal access token via $user->createToken('passkey-auth').

Requires: laravel/sanctum

Response:

{
  "user": {
    "id": 42,
    "name": "John Doe",
    "email": "john@example.com"
  },
  "token": "1|plain-text-sanctum-token"
}

`CreatePassportTokenAction`

Creates a Laravel Passport access token via $user->createToken('passkey-auth').

Requires: laravel/passport

Response:

{
  "user": {
    "id": 42,
    "name": "John Doe",
    "email": "john@example.com"
  },
  "token": "plain-text-passport-token",
  "expires_at": "2026-04-26T10:00:00.000000Z"
}

Custom action

To implement your own strategy, create a class that implements PasskeyAuthAction and register it in config/passkey.php:

app/Actions/CreateCustomTokenAction.php

namespace App\Actions;

use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Xefi\LaravelPasskey\Contracts\PasskeyAuthAction;
use Xefi\LaravelPasskey\Models\Passkey;

class CreateCustomTokenAction implements PasskeyAuthAction
{
    public function __invoke(Passkey $passkey, Request $request): JsonResponse
    {
        $user = $passkey->passkeeable;

        // Your custom authentication logic here...

        return response()->json([
            'user' => [
                'id'    => $user->id,
                'name'  => $user->getPasskeyDisplayName(),
                'email' => $user->getPasskeyEmail(),
            ],
        ]);
    }
}

config/passkey.php

'auth_action' => \App\Actions\CreateCustomTokenAction::class,

The name and email values in the response are sourced from getPasskeyDisplayName() and getPasskeyEmail() on the owning model. Override those methods to customize the values.

WebAuthn

Core class handling all cryptographic WebAuthn operations in the Laravel Passkey API package.

Auth Actions

Contract

Built-in actions

CreateWebSessionAction (default)

CreateSanctumTokenAction

CreatePassportTokenAction

Custom action

`CreateWebSessionAction` (default)

`CreateSanctumTokenAction`

`CreatePassportTokenAction`