Skip to main content

PasskeyEncryptionKey

A user's passkey-backed encryption keypair. The PRIVATE key never travels — it's derived in the browser from the passkey's PRF extension output (HKDF-keyed) and held only as a non-extractable CryptoKey for the duration of one operation. The server holds only the public key + the HKDF salt.

type PasskeyEncryptionKey {
id: ID!
credentialId: String!
x25519Pubkey: String!
kdfSalt: String!
label: String!
createdAt: Time!
lastUsedAt: Time
isRecoveryTier: Boolean!
}

Fields

PasskeyEncryptionKey.id ● ID! non-null scalar

PasskeyEncryptionKey.credentialId ● String! non-null scalar

Base64url WebAuthn credential id, used to bind this row to the Keycloak credential.

PasskeyEncryptionKey.x25519Pubkey ● String! non-null scalar

X25519 public key, base64-standard. Length is always 44 chars (32 bytes encoded).

PasskeyEncryptionKey.kdfSalt ● String! non-null scalar

HKDF salt the browser used to derive the X25519 priv from PRF output. Base64-standard. Non-secret per HKDF.

PasskeyEncryptionKey.label ● String! non-null scalar

User-supplied authenticator nickname (e.g. 'Aaron's iPhone').

PasskeyEncryptionKey.createdAt ● Time! non-null scalar

PasskeyEncryptionKey.lastUsedAt ● Time scalar

Bumped by T2.2 on every successful unwrap. Null until the key is first used.

PasskeyEncryptionKey.isRecoveryTier ● Boolean! non-null scalar

True for keys derived from the user's recovery secret (T1.2). Hidden from the user-facing list in the dashboard.

Returned By

myPasskeyEncryptionKeys query ● registerPasskeyEncryptionKey mutation ● registerPasskeyRecoveryKey mutation ● renamePasskeyEncryptionKey mutation

Member Of

WrappedDEK object