Open for early access

Passkey auth for
your side projects

A shared, serverless authentication service. No passwords, no email, no recovery flows. Just passkeys.

Three steps. Five minutes.

Drop passwords from your side project today. SimplePasskey handles the hard parts so you can ship.

Register your app

Get a clientId for your project. Each app gets its own isolated user pool and signing keys.

Add a few lines of JS

Install the browser SDK or the native iOS SDK and add a few lines of code. That's the entire integration.

Users tap to authenticate

Fingerprint, Face ID, or security key. No passwords to remember, no phishing to worry about.

Ship auth in minutes, not days

Install the SDK. Register, sign in, and make authenticated calls. You get back a JWT with refresh-token session rotation.

npm install @simplepasskey/browser @simplewebauthn/browser
import { SimplePasskey } from '@simplepasskey/browser';

const auth = new SimplePasskey({
  clientId: 'your-client-id'
});

// Register a new passkey
const { jwt, userId, refreshToken } = await auth.register({
  displayName: 'Sam'
});

// Sign in
const { jwt, userId } = await auth.signIn();

// Session persists across page loads
const session = await auth.ready;

// Authenticated API calls (auto-refreshes)
const resp = await auth.fetch('/api/data');

Building a native iOS app? Use the Swift SDK at github.com/spullara/simplepasskey-swift; it stores refresh tokens in the Keychain and never passes them through URLs.

Install with Swift Package Manager

In Xcode, choose File β†’ Add Package Dependencies… and enter https://github.com/spullara/simplepasskey-swift.git starting from 0.1.0, then add the SimplePasskey product. Requires iOS 16+ or macOS 13+.

.package(url: "https://github.com/spullara/simplepasskey-swift.git", from: "0.1.0")
import SimplePasskey

let auth = SimplePasskey(clientId: "your-client-id")

// Register a new passkey
let registration = try await auth.register(displayName: "Sam")

// Sign in
let signIn = try await auth.signIn()

// Get the current access token
let token = try await auth.getToken()

// Authenticated API calls (auto-refreshes)
var request = URLRequest(url: URL(string: "https://api.example.com/data")!)
let (data, response) = try await auth.authedFetch(request)

// Clear the local session and revoke the refresh token
await auth.logout()

Everything you need. Nothing you don't.

Built for developers who want auth that works without the baggage.

Passkey-only

No passwords to store, hash, or leak. Phishing-resistant by design. WebAuthn under the hood.

Multi-tenant

Each app gets its own isolated user pool, signing keys, and credential storage. No cross-tenant leakage.

Serverless

Runs on Lambda + DynamoDB. Free tier rate limits are 10 API calls per second, ~100k DAU.

JWT-based

Get back ES256-signed JWTs. Verify them independently using the JWKS endpoint. No callback to our servers needed.

OIDC compatible

Standard OpenID Connect discovery, authorization code flow, and token endpoint. Drop it into any app that speaks OIDC.

Self-service dashboard

Sign up with a passkey, create your tenant, register client apps, and grab your integration code β€” all from the browser.

Nine endpoints. That's the whole API.

Everything lives at api.simplepasskey.com

Method Endpoint Description
POST /register/options Generate registration challenge for a new passkey
POST /register/verify Verify registration and return a signed JWT
POST /auth/options Generate authentication challenge
POST /auth/verify Verify authentication and return a signed JWT
POST /auth/refresh Send { refreshToken } to rotate and return { jwt, refreshToken, expiresIn }; 401 if invalid, expired, or revoked
POST /auth/logout Revoke the presented refresh token
POST /auth/logout-all Revoke all refresh tokens for the authenticated user
GET /.well-known/jwks.json Public keys for independent JWT verification
POST /credentials/* Add, list, and delete credentials (JWT-authed)

Drop passwords today.

SimplePasskey is in early access. Get your API key and start integrating passkey auth in minutes.