/api/user/mfa/passkey
Manage WebAuthn passkeys.
This endpoint requires authentication.
Path Parameters
| Name | Type | Description |
|---|---|---|
id | string | The unique ID of the tag |
GET Request
Get all of your registered passkeys. Note: if your passkey device no longer can provide a passkey for Zipline, it will still be listed here, and is recommended to be removed manually.
Response
Status: 200 OK
Content-Type: application/json
Array of passkey objects:
| Property | Type | Description |
|---|---|---|
id | string | Unique identifier for this passkey credential. |
createdAt | string | ISO timestamp when the passkey was created. |
updatedAt | string | ISO timestamp when the passkey was last updated. |
lastUsed | string | ISO timestamp when the passkey was last used. |
name | string | Display name for this passkey (set by the user). |
reg | object | WebAuthn credential registration response (see below). |
userId | string | User ID that owns this passkey. |
Example
[{"id": "cmbbdikm30001vcj1t4jzxn3h","createdAt": "2025-05-30T22:27:25.275Z","updatedAt": "2025-05-30T22:27:25.275Z","lastUsed": "2025-05-30T22:27:25.274Z","name": "Pixel 7","reg": {"id": "x","type": "public-key","rawId": "x","response": {"transports": ["hybrid", "internal"],"clientDataJSON": "x","attestationObject": "x-x-x-x-x"},"clientExtensionResults": {},"authenticatorAttachment": "cross-platform"},"userId": "cmb6042f500029kenox2u8npu"}]
POST Request
Create a new passkey. This will take in a WebAuthn registration response from the client, and create a new passkey for the user in the database.
Body
Content-Type: application/json
| Property | Type | Description |
|---|---|---|
reg | RegistrationResponseJSON | Required. WebAuthn registration response. |
name | string | Required. Display name for the passkey. |
Response
Status: 200 OK
Content-Type: application/json
Returns the current User object after the passkey has been created.
Error Responses
-
400 Bad Request
If the request body is invalid, missing required fields, or the passkey registration response is invalid.
DELETE Request
Delete a specific passkey by its ID. Note: this will not delete the passkey from your device, it only removes it from Zipline meaning that it will not authenticate you anymore. To ensure that the passkey is entirely removed, you need to manually delete it from your passkey through its settings (varies between all the platforms).
Body
Content-Type: application/json
| Property | Type | Description |
|---|---|---|
id | string | Required. ID of passkey to delete. |
Response
Status: 200 OK
Content-Type: application/json
Returns the current User object after the passkey has been deleted.
Error Responses
-
400 Bad Request
If the request body is invalid or missing required fields.