PasskeyEncryptionKey
A user's passkey-backed encryption keypair. The PRIVATE key never travels — it's derived in the browser from the passkey's PRF extension output (HKDF-keyed) and held only as a non-extractable CryptoKey for the duration of one operation. The server holds only the public key + the HKDF salt.
type PasskeyEncryptionKey {
id: ID!
credentialId: String!
x25519Pubkey: String!
kdfSalt: String!
label: String!
createdAt: Time!
lastUsedAt: Time
isRecoveryTier: Boolean!
}
Fields
PasskeyEncryptionKey.id ● ID! non-null scalar
PasskeyEncryptionKey.credentialId ● String! non-null scalar
Base64url WebAuthn credential id, used to bind this row to the Keycloak credential.
PasskeyEncryptionKey.x25519Pubkey ● String! non-null scalar
X25519 public key, base64-standard. Length is always 44 chars (32 bytes encoded).
PasskeyEncryptionKey.kdfSalt ● String! non-null scalar
HKDF salt the browser used to derive the X25519 priv from PRF output. Base64-standard. Non-secret per HKDF.
PasskeyEncryptionKey.label ● String! non-null scalar
User-supplied authenticator nickname (e.g. 'Aaron's iPhone').
PasskeyEncryptionKey.createdAt ● Time! non-null scalar
PasskeyEncryptionKey.lastUsedAt ● Time scalar
Bumped by T2.2 on every successful unwrap. Null until the key is first used.
PasskeyEncryptionKey.isRecoveryTier ● Boolean! non-null scalar
True for keys derived from the user's recovery secret (T1.2). Hidden from the user-facing list in the dashboard.
Returned By
myPasskeyEncryptionKeys query ● registerPasskeyEncryptionKey mutation ● registerPasskeyRecoveryKey mutation ● renamePasskeyEncryptionKey mutation
Member Of
WrappedDEK object