A shared, serverless authentication service. No passwords, no email, no recovery flows. Just passkeys.
How it works
Drop passwords from your side project today. SimplePasskey handles the hard parts so you can ship.
Get a clientId for your project. Each app gets its own isolated user pool and signing keys.
Install the browser SDK or the native iOS SDK and add a few lines of code. That's the entire integration.
Fingerprint, Face ID, or security key. No passwords to remember, no phishing to worry about.
Integration
Install the SDK. Register, sign in, and make authenticated calls. You get back a JWT with refresh-token session rotation.
npm install @simplepasskey/browser @simplewebauthn/browser
import { SimplePasskey } from '@simplepasskey/browser';
const auth = new SimplePasskey({
clientId: 'your-client-id'
});
// Register a new passkey
const { jwt, userId, refreshToken } = await auth.register({
displayName: 'Sam'
});
// Sign in
const { jwt, userId } = await auth.signIn();
// Session persists across page loads
const session = await auth.ready;
// Authenticated API calls (auto-refreshes)
const resp = await auth.fetch('/api/data');
Building a native iOS app? Use the Swift SDK at github.com/spullara/simplepasskey-swift; it stores refresh tokens in the Keychain and never passes them through URLs.
Native iOS
In Xcode, choose File β Add Package Dependenciesβ¦ and enter https://github.com/spullara/simplepasskey-swift.git starting from 0.1.0, then add the SimplePasskey product. Requires iOS 16+ or macOS 13+.
.package(url: "https://github.com/spullara/simplepasskey-swift.git", from: "0.1.0")
import SimplePasskey
let auth = SimplePasskey(clientId: "your-client-id")
// Register a new passkey
let registration = try await auth.register(displayName: "Sam")
// Sign in
let signIn = try await auth.signIn()
// Get the current access token
let token = try await auth.getToken()
// Authenticated API calls (auto-refreshes)
var request = URLRequest(url: URL(string: "https://api.example.com/data")!)
let (data, response) = try await auth.authedFetch(request)
// Clear the local session and revoke the refresh token
await auth.logout()
Features
Built for developers who want auth that works without the baggage.
No passwords to store, hash, or leak. Phishing-resistant by design. WebAuthn under the hood.
Each app gets its own isolated user pool, signing keys, and credential storage. No cross-tenant leakage.
Runs on Lambda + DynamoDB. Free tier rate limits are 10 API calls per second, ~100k DAU.
Get back ES256-signed JWTs. Verify them independently using the JWKS endpoint. No callback to our servers needed.
Standard OpenID Connect discovery, authorization code flow, and token endpoint. Drop it into any app that speaks OIDC.
Sign up with a passkey, create your tenant, register client apps, and grab your integration code β all from the browser.
API Reference
Everything lives at api.simplepasskey.com
| Method | Endpoint | Description |
|---|---|---|
| POST | /register/options |
Generate registration challenge for a new passkey |
| POST | /register/verify |
Verify registration and return a signed JWT |
| POST | /auth/options |
Generate authentication challenge |
| POST | /auth/verify |
Verify authentication and return a signed JWT |
| POST | /auth/refresh |
Send { refreshToken } to rotate and return { jwt, refreshToken, expiresIn }; 401 if invalid, expired, or revoked |
| POST | /auth/logout |
Revoke the presented refresh token |
| POST | /auth/logout-all |
Revoke all refresh tokens for the authenticated user |
| GET | /.well-known/jwks.json |
Public keys for independent JWT verification |
| POST | /credentials/* |
Add, list, and delete credentials (JWT-authed) |
Get started
SimplePasskey is in early access. Get your API key and start integrating passkey auth in minutes.