Getting Started

Configuration

Configuration reference for the Laravel Passkey API package.

After publishing the config file with php artisan vendor:publish --tag=passkey-config, you will find config/passkey.php in your application:

config/passkey.php

<?php

return [
    'enabled' => env('PASSKEY_ENABLED', true),
    'timeout' => env('PASSKEY_TIMEOUT', 60000),
    'challenge_length' => env('PASSKEY_CHALLENGE_LENGTH', 32),

    'middleware' => [
        'default' => ['api'],
        'auth'    => ['auth'],
    ],

    'auth_action' => \Xefi\LaravelPasskey\Actions\CreateWebSessionAction::class,
];

Options

`enabled`

Type: bool — Default: true — Env: PASSKEY_ENABLED

Enables or disables the passkey API routes entirely. Set to false to turn off all passkey endpoints without removing the package.

.env

PASSKEY_ENABLED=true

`timeout`

Type: int (milliseconds) — Default: 60000 — Env: PASSKEY_TIMEOUT

The timeout (in milliseconds) for WebAuthn operations on the client side. This value is sent to the browser as part of the registration and authentication options.

.env

PASSKEY_TIMEOUT=60000

The default is 60 seconds (60 000 ms). Increase this value if users report timeout errors on slow devices.

`challenge_length`

Type: int (bytes) — Default: 32 — Env: PASSKEY_CHALLENGE_LENGTH

The number of random bytes used to generate the WebAuthn challenge. A higher value increases entropy. 32 bytes (256 bits) is the recommended minimum.

.env

PASSKEY_CHALLENGE_LENGTH=32

`middleware`

Type: array

Defines the middleware applied to the package's route groups.

Key	Default	Description
`default`	`['api']`	Applied to all passkey routes (public and protected)
`auth`	`['auth']`	Applied on top of `default` for routes requiring an authenticated user

config/passkey.php

'middleware' => [
    'default' => ['api'],
    'auth'    => ['auth'],
],

Override auth to use a specific guard (e.g. ['auth:sanctum'] or ['auth:api']) or add extra middleware like rate limiting.

`auth_action`

Type: string (class name) — Default: CreateWebSessionAction::class

The action class responsible for creating an authenticated session or token after a successful passkey login via POST /api/passkeys/login. The class must implement the Xefi\LaravelPasskey\Contracts\PasskeyAuthAction contract.

Three built-in actions are provided:

Class	Requires	Response
`CreateWebSessionAction`	—	`{ user }` — logs in via the default web guard
`CreateSanctumTokenAction`	`laravel/sanctum`	`{ user, token }` — Sanctum personal access token
`CreatePassportTokenAction`	`laravel/passport`	`{ user, token, expires_at }` — Passport access token

config/passkey.php

// Session-based (default)
'auth_action' => \Xefi\LaravelPasskey\Actions\CreateWebSessionAction::class,

// Sanctum token
'auth_action' => \Xefi\LaravelPasskey\Actions\CreateSanctumTokenAction::class,

// Passport token
'auth_action' => \Xefi\LaravelPasskey\Actions\CreatePassportTokenAction::class,

You can also provide your own class to support any custom authentication mechanism:

app/Actions/CreateCustomTokenAction.php

use Xefi\LaravelPasskey\Contracts\PasskeyAuthAction;
use Xefi\LaravelPasskey\Models\Passkey;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;

class CreateCustomTokenAction implements PasskeyAuthAction
{
    public function __invoke(Passkey $passkey, Request $request): JsonResponse
    {
        $user = $passkey->passkeeable;
        // ... your custom logic
        return response()->json(['user' => $user]);
    }
}

config/passkey.php

'auth_action' => \App\Actions\CreateCustomTokenAction::class,

Installation

How to install and set up the Laravel Passkey API package.

Usage

End-to-end example of passkey registration and authentication with Laravel Passkey API.