Skip to content

fix(passkeys): modify the passkeys request and response shapes#2475

Merged
fadymak merged 1 commit into
masterfrom
fm/passkey-api-req-res-cleanup
Apr 10, 2026
Merged

fix(passkeys): modify the passkeys request and response shapes#2475
fadymak merged 1 commit into
masterfrom
fm/passkey-api-req-res-cleanup

Conversation

@fadymak

@fadymak fadymak commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

Modifies some of the passkeys request/response shapes for a cleaner interface and to better align with industry standards. In particular:

The /options endpoints removes unnecessary nesting (a byproduct of serializing the go-webauthn object directly):

{
  "challenge_id": "some-challenge-id",
  "options": {
    "publicKey": {
      // ... the public key options
    },
  }
  "expires_at": 1234567890
}

becomes:

{
  "challenge_id": "some-challenge-id",
  "options": {
    // ... the public key options
  }
  "expires_at": 1234567890
}

Rename the credential in the /verify endpoint payload from credential_response to credential:

{
  "challenge_id": "some-challenge-id",
  "credential_response": {
    // ... the response from the client
  }
}

becomes

{
  "challenge_id": "some-challenge-id",
  "credential": {
    // ... the response from the client
  }
}

Finally, remove the backed_up, backup_eligible, and transports fields from the /verify response upon registration. We can later expose them consistently across the API responses if/when needed.

@fadymak fadymak requested a review from a team as a code owner April 10, 2026 07:03
@fadymak fadymak merged commit 2d8f2b6 into master Apr 10, 2026
6 checks passed
@fadymak fadymak deleted the fm/passkey-api-req-res-cleanup branch April 10, 2026 10:58
@supabase-releaser supabase-releaser Bot mentioned this pull request Apr 10, 2026
Merged
fadymak pushed a commit that referenced this pull request Apr 28, 2026
@supabase-releaser
chore(master): release 2.189.0 (#2448)
4fa66ba 
🤖 I have created a release *beep* *boop*
---


##
[2.189.0](v2.188.1...v2.189.0)
(2026-04-23)


### Features

* add PKCE support for `/resend`
([#2401](#2401))
([2af904a](2af904a))
* improve parallelization in github workflows and Makefile
([#2436](#2436))
([9d0c4b3](9d0c4b3))
* **passkeys:** add CAPTCHA to options endpoint for authentication
([#2416](#2416))
([c7b58be](c7b58be))
* support live reloading of individual rate limits
([#2469](#2469))
([d03d796](d03d796))


### Bug Fixes

* ensure identities are returned in a consistent order across DB engines
([#2465](#2465))
([e49a3e5](e49a3e5))
* ensure SSO providers tests are order-independent
([#2466](#2466))
([983ade6](983ade6))
* exempt PKCE recovery sessions from require-current-password check
([#2502](#2502))
([7f88985](7f88985))
* **indexworker:** skip index creation on OrioleDB
([#2481](#2481))
([dd56ae9](dd56ae9))
* **passkeys:** modify the passkeys request and response shapes
([#2475](#2475))
([2d8f2b6](2d8f2b6))
* prevent reuse of flow state
([#2483](#2483))
([88dcb2d](88dcb2d))
* return JSON response for unmatched routes instead of plain text
([#2457](#2457))
([7337e21](7337e21))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cemalkilic cemalkilic cemalkilic approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fadymak @cemalkilic