Kill the password. Ship passkeys.

http4k WebAuthn gives your users phishing-resistant passwordless login with FIDO2 passkeys - the complete registration and authentication ceremonies, handled for you and fully testable.

See the docs

Highlights

icon

Truly
Passwordless

Let users sign in with a fingerprint, face, security key, or device PIN. No passwords to store, leak, reset, or phish. Supports passkey-only signup or adding a passkey to an existing login.

icon

Standards
Based

Full W3C WebAuthn / FIDO2 registration and authentication ceremonies, backed by webauthn4j and BouncyCastle for attestation, signature, challenge, origin, and sign-counter (clone detection) verification.

icon

Pluggable
By Design

Three small interfaces compose the flow - PasskeyVerifier, PasskeyPersistence, and Principals. Swap in your own credential store and session strategy without touching the ceremony logic.

icon

Testable
In Memory

Ships with InsecurePasskeyVerifier, InMemoryPasskeyPersistence, and a fake authenticator so you can drive the entire passkey flow in fast, out-of-container tests - the http4k way.

License

http4k WebAuthn is available under the http4k Commercial License. Free usage is granted for qualifying small businesses (<$1m ARR), non-commercial, non-profit, and research activities.

Pricing

All http4k Pro modules are also automatically included as part of the Enterprise Edition. Need bulk developer seats, team licensing, or custom terms? Get in touch and we'll find the right fit - whether that's volume licensing for individual Pro modules or our full Enterprise Edition with LTS support and priority access to all Pro modules.

Let's talk

Contact us
pumb
scarf