github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #7151] Passkey plugin: WebAuthn extensions passthrough + pre-auth registration hooks #10747

New Issue
Closed
opened 2026-04-13 07:04:20 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-13 07:04:20 -05:00
Owner
Copy Link

Originally created by @gustavovalverde on GitHub (Jan 6, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/7151

Is this suited for github?

  • Yes, this is suited for github

Is your feature request related to a problem? Please describe.

Today the passkey plugin assumes registration requires an authenticated session and the client API does not allow passing WebAuthn extensions or reading extension results. This blocks valid, generic use cases:

  • Passkey-first onboarding (passwordless signup before any session exists).
  • Extension-driven workflows (PRF, largeBlob, credProps, etc.) that SimpleWebAuthn already supports.

We can work around this by bypassing the plugin and rolling custom flows, but that loses Better Auth’s integration and increases maintenance.

Describe the solution you'd like

  1. WebAuthn extension passthrough (server + client), so extensions can be supplied to registration/authentication options and extension results can be surfaced to the client.
  2. Pre-auth registration hooks (optional) so passkey-first flows can resolve a user before session exists.

This should be generic, backward-compatible, and not require schema changes.

High-level API idea:

  • PasskeyOptions.registration.requireSession (default true)
  • PasskeyOptions.registration.resolveUser(ctx, context) -> { id, name, displayName? }
  • PasskeyOptions.registration.afterVerification(...)
  • PasskeyOptions.registration.extensions / authentication.extensions
  • Client methods accept optional extensions and can optionally return clientExtensionResults

Describe alternatives you've considered

  • Keep the plugin unchanged and implement everything with custom SimpleWebAuthn flows (works, but loses Better Auth integration).
  • Create a separate "advanced passkey" plugin (adds fragmentation).
  • Hardcode PRF-specific features (too narrow; not generic).

Additional context

No response

Originally created by @gustavovalverde on GitHub (Jan 6, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/7151 ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. Today the passkey plugin assumes registration requires an authenticated session and the client API does not allow passing WebAuthn extensions or reading extension results. This blocks valid, generic use cases: - Passkey-first onboarding (passwordless signup before any session exists). - Extension-driven workflows (PRF, largeBlob, credProps, etc.) that SimpleWebAuthn already supports. We can work around this by bypassing the plugin and rolling custom flows, but that loses Better Auth’s integration and increases maintenance. ### Describe the solution you'd like 1. WebAuthn extension passthrough (server + client), so extensions can be supplied to registration/authentication options and extension results can be surfaced to the client. 2. Pre-auth registration hooks (optional) so passkey-first flows can resolve a user before session exists. This should be generic, backward-compatible, and not require schema changes. High-level API idea: - `PasskeyOptions.registration.requireSession` (default true) - `PasskeyOptions.registration.resolveUser(ctx, context)` -> `{ id, name, displayName? }` - `PasskeyOptions.registration.afterVerification(...)` - `PasskeyOptions.registration.extensions` / `authentication.extensions` - Client methods accept optional extensions and can optionally return clientExtensionResults ### Describe alternatives you've considered - Keep the plugin unchanged and implement everything with custom SimpleWebAuthn flows (works, but loses Better Auth integration). - Create a separate "advanced passkey" plugin (adds fragmentation). - Hardcode PRF-specific features (too narrow; not generic). ### Additional context _No response_
GiteaMirror added the credentialslocked labels 2026-04-13 07:04:21 -05:00
GiteaMirror commented 2026-04-13 07:04:23 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Jan 6, 2026):

It looks like you've opened an issue regarding the Passkey plugin's functionality, specifically addressing the need for WebAuthn extension passthrough and pre-auth registration hooks. This is an important topic as it aims to improve user experience in passwordless authentication through Better Auth.

Your proposed solution involves enabling WebAuthn extensions during registration and authentication processes, along with pre-auth registration hooks to facilitate passkey-first onboarding without an existing session. This would indeed enhance flexibility and usability for various workflows.

While there is a general acknowledgment of such enhancements being beneficial, it would be best to engage the Better Auth team directly for further discussions. You can tag Beka (@bekacru) and Max (@ping__) for their insights and potential contributions to this feature request.

What are your thoughts on the proposed WebAuthn features, and do you have any specific use cases in mind that you would like to be addressed?

If you need more help, tag @better-auth-agent in a comment so I can respond.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3715824612 --> @better-auth-agent[bot] commented on GitHub (Jan 6, 2026): It looks like you've opened an issue regarding the Passkey plugin's functionality, specifically addressing the need for WebAuthn extension passthrough and pre-auth registration hooks. This is an important topic as it aims to improve user experience in passwordless authentication through Better Auth. Your proposed solution involves enabling WebAuthn extensions during registration and authentication processes, along with pre-auth registration hooks to facilitate passkey-first onboarding without an existing session. This would indeed enhance flexibility and usability for various workflows. While there is a general acknowledgment of such enhancements being beneficial, it would be best to engage the Better Auth team directly for further discussions. You can tag Beka (@bekacru) and Max (@ping__) for their insights and potential contributions to this feature request. What are your thoughts on the proposed WebAuthn features, and do you have any specific use cases in mind that you would like to be addressed? _If you need more help, tag @better-auth-agent in a comment so I can respond._ <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)
GiteaMirror commented 2026-04-13 07:04:24 -05:00
Author
Owner
Copy Link

@gustavovalverde commented on GitHub (Jan 6, 2026):

What are your thoughts on the proposed WebAuthn features, and do you have any specific use cases in mind that you would like to be addressed?

I already have a custom implementation in place for Passkey-first onboarding + Passkey vaults using PRF-derived keys to seal profiles and wrap FHE keys on a privacy-first KYC solution I'm building.

Because of the limitation I had (and some time constraints) I made this custom and detached from Better Auth; but I'd highly prefer Better Auth to allow the extension passthrough and pre-auth registration hooks, so this kind of workflows (passwordless sign-up + PRF) can be used in coordination with Better Auth.

If you'd like to see a working example of this process; you can validate here: https://app.zentity.xyz/ and the technicalities behind this approach https://github.com/gustavovalverde/zentity?tab=readme-ov-file#tech-choices-and-rationale

cc: @ping-maxwell @Bekacru

P.d.: I will create the PR so it's easier to visualize, because I don't think it will be that complex in any case.

<!-- gh-comment-id:3715862150 --> @gustavovalverde commented on GitHub (Jan 6, 2026): > What are your thoughts on the proposed WebAuthn features, and do you have any specific use cases in mind that you would like to be addressed? I already have a custom implementation in place for **Passkey-first onboarding** + **Passkey vaults** using PRF-derived keys to seal profiles and wrap FHE keys on a privacy-first KYC solution I'm building. Because of the limitation I had (and some time constraints) I made this custom and detached from Better Auth; but I'd highly prefer Better Auth to allow the extension passthrough and pre-auth registration hooks, so this kind of workflows (passwordless sign-up + PRF) can be used in coordination with Better Auth. If you'd like to see a working example of this process; you can validate here: https://app.zentity.xyz/ and the technicalities behind this approach https://github.com/gustavovalverde/zentity?tab=readme-ov-file#tech-choices-and-rationale cc: @ping-maxwell @Bekacru P.d.: I will create the PR so it's easier to visualize, because I don't think it will be that complex in any case.
GiteaMirror commented 2026-04-13 07:04:25 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Apr 7, 2026):

This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

<!-- gh-comment-id:4195715088 --> @github-actions[bot] commented on GitHub (Apr 7, 2026): This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label credentials locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#10747
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?