Skip to main content

registerPasskeyEncryptionKey

Registers a new passkey encryption key for the calling user. Called after the dashboard completes a WebAuthn registration ceremony with the prf extension and derives an X25519 keypair from the PRF output. The server only sees the public key + salt.

The orgID names the organization the user is enrolling the passkey IN — that org's billing plan must include the passkeyE2EE feature. The keypair itself is user-scoped (a single user has one set of passkeys across all their orgs); the orgID is the gating context, not a partitioning key on the row.

registerPasskeyEncryptionKey(
input: RegisterPasskeyEncryptionKeyInput!
): PasskeyEncryptionKey!

Arguments

registerPasskeyEncryptionKey.input ● RegisterPasskeyEncryptionKeyInput! non-null input

Type

PasskeyEncryptionKey object

A user's passkey-backed encryption keypair. The PRIVATE key never travels — it's derived in the browser from the passkey's PRF extension output (HKDF-keyed) and held only as a non-extractable CryptoKey for the duration of one operation. The server holds only the public key + the HKDF salt.