Passkey Flex Node.js SDK

Install

Install the Passage Flex Node.js npm package (opens in a new tab).

npm i @passageidentity/passage-flex-node

Initialize

Initialize a Passage Flex instance using your app ID found in Passage Console.

App.js
import { PassageFlex, PassageConfig } from '@passageidentity/passage-flex-node';
 
const passageConfig: PassageConfig = {
    appId: process.env.PASSAGE_APP_ID,
    apiKey: process.env.PASSAGE_API_KEY,
};
 
const passage = new PassageFlex(passageConfig);

Core functions

See full documentation on Github.

createAuthenticateTransaction()

Create a transaction to start a user's authentication process.

Parameters

PropertyData TypeDescription
{externalId: string}AuthenticateTransactionArgsThe required values to create a transaction.

Returns

Promise<string> The transaction ID.

Example

const transaction = await passageFlex.createAuthenticateTransaction({
    externalId: 'UUID-string',
});

createRegisterTransaction()

Create a transaction to start a user's registration process.

Parameters

PropertyData TypeDescription
{externalId: string, passkeyDisplayName: string}CreateTransactionAuthenticateRequestThe required values to create a transaction.

Returns

Promise<string> The transaction ID.

Example

const transaction = await passageFlex.createRegisterTransaction({
    externalId: 'UUID-string',
    passkeyDisplayName: 'new.user@gmail.com', // the label for the user passkey that they will see when logging in
});

getApp()

Retrieve information about an app.

Returns

Promise<AppInfo> Passage App object.

Example

const passageApp = await passage.getApp();
console.log(passageApp.authOrigin);

getDevices()

Get a user's devices by their external ID.

Parameters

PropertyData TypeDescription
externalIdstringThe external ID used to associate the user with Passage.

Returns

Promise<WebAuthnDevices[]> List of devices.

Example

// same value used when creating the transaction
const externalId = yourUser.id;
 
// get devices
const passkeyDevices = await passage.getDevices(externalId);
for (const device of passkeyDevices) {
    console.log(device.usageCount);
}

getUser()

Get a user by their external ID.

Parameters

PropertyData TypeDescription
externalIdstringThe identifier used to associate your user with Passage.

Returns

Promise<UserInfo> Passage User object.

Example

// example authenticated route
app.get('/authenticatedRoute', passageAuthMiddleware, async (req, res) => {
    // this should be the same value you used when creating the transaction
    const externalId = req.yourUser.id;
 
    // get user info
    const passageUser = await passage.getUser(externalId);
    console.log(passageUser.loginCount);
});

revokeDevice()

Revoke a user's device by their external ID and the device ID.

Parameters

PropertyData TypeDescription
externalIdstringThe identifier used to associate your user with Passage.
deviceIdstringThe Passage user's device ID.

Returns

Promise<boolean> Whether the user's device has been revoked.

Example

// same value you used when creating the transaction
const externalId = yourUser.id;
const lastYear = new Date();
lastYear.setFullYear(lastYear.getFullYear() - 1);
 
// get devices
const passkeyDevices = await passage.getDevices(externalId);
 
for (const device of passkeyDevices) {
    // revoke old devices that haven't been used
    if (device.usageCount === 0 && device.lastLoginAt < lastYear) {
        try {
            await passage.revokeDevice(externalId, device.id);
        } catch (err) {
            // device couldn't be revoked
        }
    }
}

verifyNonce()

Verify the nonce received from a WebAuthn registration or authentication ceremony.

Parameters

PropertyData TypeDescription
noncestring

The nonce to send to Passage for verification of a successful registration or authentication.

Returns

Promise<string> The external ID of the verified user.

Example

try {
    const externalId = await passage.verifyNonce('nonce');
 
    // continue custom auth solution.
    // Ex: generate and send your own auth token
} catch (err) {
    // nonce was invalid or unable to be verified
}