registerPasskeyEncryptionKey
Registers a new passkey encryption key for the calling user. Called after the dashboard completes a WebAuthn registration ceremony with the prf extension and derives an X25519 keypair from the PRF output. The server only sees the public key + salt.
The orgID names the organization the user is enrolling the passkey IN — that org's billing plan must include the passkeyE2EE feature. The keypair itself is user-scoped (a single user has one set of passkeys across all their orgs); the orgID is the gating context, not a partitioning key on the row.
registerPasskeyEncryptionKey(
input: RegisterPasskeyEncryptionKeyInput!
): PasskeyEncryptionKey!
Arguments
registerPasskeyEncryptionKey.input ● RegisterPasskeyEncryptionKeyInput! non-null input
Type
PasskeyEncryptionKey object
A user's passkey-backed encryption keypair. The PRIVATE key never travels — it's derived in the browser from the passkey's PRF extension output (HKDF-keyed) and held only as a non-extractable CryptoKey for the duration of one operation. The server holds only the public key + the HKDF salt.