{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"redocly_category":"Guides","type":"markdown"},"seo":{"title":"Device-bound passkeys","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"device-bound-passkeys","__idx":0},"children":["Device-bound passkeys"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["By default, WebAuthn handles only passkey registration and does not include any concept of device trust–that is, the ability to verify whether a device is known and enforce access policies based on it. To bind a device to a user, include device information in the registration payload. When ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["deviceInfo"]}," is included in the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["webauthn_encoded_result"]},", Mosaic associates the registering device with the user within the application. To control which device-bound passkeys are accepted at registration — for example by requiring attestation or restricting specific authenticator models — see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/passkey_attestation"},"children":["Passkey attestation and restrictions"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When the user later authenticates with a passkey, the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["ID token"]}," may include a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["device_keys"]}," claim—an array of device keys representing all devices registered for that user in the application (see the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/openapi/id_token_reference"},"children":["ID token reference"]},")."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This list includes devices registered during passkey registration (when ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["deviceInfo"]}," is provided) as well as devices registered through other flows, such as the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/register_device"},"children":["Register device"]}," step. This allows you to implement device-aware authentication logic."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"include-device-information-during-registration","__idx":1},"children":["Include device information during registration"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["When using mobile SDKs"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"The iOS and Android SDKs automatically include ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["deviceInfo"]}," in the encoded result. No additional configuration is required."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["When using web or custom implementations"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"You must construct the payload manually by combining:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["WebAuthn attestation data returned by the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["webauthn.register()"]}," call"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["deviceInfo"]}," object containing:",{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["publicKeyId"]}," (string)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["publicKey"]}," (string, typically PEM-encoded)"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The device key material should be generated using the same mechanism used for ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/how_devices_work"},"children":["device crypto-binding"]},", or obtained from prior flows such as ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/register_device"},"children":["Register device"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"example-of-decoded-payload","__idx":2},"children":["Example of decoded payload"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The following shows the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["decoded"]}," payload (WebAuthn fields omitted with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["..."]},"). Encode the full object before sending it as ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["webauthn_encoded_result"]}," in the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["ido.submitClientResponse()"]}," call:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"...\": \"WebAuthn attestation fields from credential creation\",\n  \"deviceInfo\": {\n    \"publicKeyId\": \"xxxyyyzzz\",\n    \"publicKey\": \"-----BEGIN RSA PUBLIC KEY-----\\n...\\n-----END RSA PUBLIC KEY-----\\n\"\n  }\n}\n","lang":"json"},"children":[]}]},"headings":[{"value":"Device-bound passkeys","id":"device-bound-passkeys","depth":1},{"value":"Include device information during registration","id":"include-device-information-during-registration","depth":2},{"value":"Example of decoded payload","id":"example-of-decoded-payload","depth":2}],"frontmatter":{"seo":{"title":"Device-bound passkeys"}},"lastModified":"2026-04-13T14:47:15.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/webauthn/device_passkeys_binding","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}