WebAuthnApiClient
Component Detail
Description
Typed HTTP client for all WebAuthn-related backend endpoints. Handles challenge issuance, attestation verification, assertion verification, credential listing, and revocation. Attaches CSRF tokens and session cookies per request and retries on transient network failures.
webauthn-api-client
Sources & reasoning
Passkeys are not explicitly mentioned in the source documentation. The feature is required by the authoritative blueprint which assigns it to Authentication & Access Control at v1.1. Target release v1.1 follows the blueprint's phase assignment; no earlier phase evidence exists in the source doc, and the feature is clearly post-BankID/Vipps (Fase 2) in any logical delivery sequence.
No source references — this artifact was included based on reasoning alone (see above).
Responsibilities
- POST to /auth/passkey/register/begin and /register/finish
- POST to /auth/passkey/authenticate/begin and /authenticate/finish
- GET /auth/passkey/credentials for listing server-side records
- DELETE /auth/passkey/credentials/:id for server-side revocation
- Handle 4xx/5xx errors and map to domain error types
Interfaces
fetchRegistrationChallenge(userId: string): Promise<PublicKeyCredentialCreationOptions>
submitAttestation(body: AttestationBody): Promise<PasskeyCredential>
fetchAuthChallenge(rpId: string): Promise<PublicKeyCredentialRequestOptions>
submitAssertion(body: AssertionBody): Promise<SessionToken>
revokeCredential(credentialId: string): Promise<void>