Skip to main content

registerPasskeyRecoveryKey

Registers a recovery-tier encryption keypair derived from the user's T1.2 recovery secret. Called by the dashboard when the user generates a fresh batch of recovery codes — the browser HKDFs the recovery secret with the spec's "vc-enc-recovery-v1" info string, derives the X25519 keypair, and posts the public key + salt here. The row is stamped is_recovery_tier=true so the enrollment modal does not count it toward the two-passkey-minimum.

Distinct from registerPasskeyEncryptionKey because recovery-tier rows are not WebAuthn credentials (no credentialId — the recovery secret IS the auth artifact). A fresh recovery-codes generation REVOKES the prior recovery-tier row for the same user+org and replaces it with the new one — strictly one active recovery-tier row per (user, org) at any time. Spec §3.5 + Q5.

registerPasskeyRecoveryKey(
input: RegisterPasskeyRecoveryKeyInput!
): PasskeyEncryptionKey!

Arguments

registerPasskeyRecoveryKey.input ● RegisterPasskeyRecoveryKeyInput! non-null input

Type

PasskeyEncryptionKey object

A user's passkey-backed encryption keypair. The PRIVATE key never travels — it's derived in the browser from the passkey's PRF extension output (HKDF-keyed) and held only as a non-extractable CryptoKey for the duration of one operation. The server holds only the public key + the HKDF salt.