Passage by 1Password unlocks the passwordless future with a simpler, more secure passkey authentication experience. Passage handles the complexities of the WebAuthn API, and allows you to implement passkeys with ease.
Use Passkey Flex to add passkeys to an existing authentication experience.
Use Passkey Complete as a standalone passwordless auth solution.
Use Passkey Ready to determine if your users are ready for passkeys.
Passage-JS provides a convenient JavaScript interface to handling all client-side operations for user authentication and management with Passkey Complete. If you're looking for a pre-built UI that handles everything for you elegantly check out our UI library passage-elements or passage-react.
What's Included?
🙆 Getting and editing information about the currently authenticated user.
🤝 Managing the session of the current user.
🔒 Full passkey authentication.
✨ Magic Link and One-Time Passcodes over email or SMS.
👥 Authentication with Social providers.
🪙 Custom token management.
| Product | Compatible |
|---|---|
 Passkey Flex
|
✖️ For Passkey Flex, check out passage-flex-js |
 Passkey Complete
|
✅ |
 Passkey Ready
|
✖️ For Passkey Ready, check out Authentikit |
You'll need a free Passage account and a Passkey Complete app set up in Passage Console to get started.
Learn more about Passage Console →
npm i @passageidentity/passage-jsimport { Passage } from '@passageidentity/passage-js'const passage = new Passage('YOUR_PASSAGE_APP_ID');Find aditional customization options and more implementation guidance on our Passkey JS Documentation page.
We are here to help! Find additional docs, the best ways to get in touch with our team, and more within our support resources.
Passage is a product by 1Password, the global leader in access management solutions with nearly 150k business customers.
This project is licensed under the MIT license. See the LICENSE file for more info.
The Passage class used to perform register and login operations. The only parameter is the app handle for the application.
import Passage from '@passageidentity/passage-js';
const passage = new Passage(app_id);
new Passage(
appID,config?):Passage
Constructor configuring the Passage class' attributes
| Parameter | Type | Description |
|---|---|---|
appID |
string |
the App's corresponding AppID |
config? |
PassageConfig |
An optional parameter to pass in configurable properties. The tokenStore property is an object that implements ReadOnlyTokenStore or TokenStore to manage retrieval and storage of tokens. If no tokenStore is provided by default Passage will store tokens in a combination of localstorage and cookies. |
app:
PassageApp
PassageApp class contains functions that operate on the Passage app level.
currentUser:
PassageCurrentUser
The PassageCurrentUser class contains functions to get information about the currently authenticated user.
magicLink:
PassageMagicLink
PassageMagicLink class contains functions that use magic links for authentication, identitfy verification, and handling identifier changes.
oneTimePasscode:
PassageOneTimePasscode
PassageOneTimePasscode class contains functions that use one-time passcodes for authentication.
passkey:
PassagePasskey
PassagePasskey class contains functions that use passkeys for authentication and utilities to help with passkey UX decisions.
session:
PassageSession
The PassageSession class used to manage Passage sessions using refresh tokens.
social:
PassageSocial
PassageSocial class contains functions that use social providers for authentication.
PassageApp class contains functions that operate on the Passage app level.
-
PassageBase<AppsApi>
new PassageApp(
instanceConfig):PassageApp
Constructor configuring the App class' attributes
| Parameter | Type | Description |
|---|---|---|
instanceConfig |
PassageInstanceConfig |
the config of the current Passage instance |
PassageBase<AppsApi>.constructor
createUser(
identifier,userMetadata?):Promise<User>
createUser creates a user in a 'pending' state.
| Parameter | Type | Description |
|---|---|---|
identifier |
string |
the email or phone number of the user |
userMetadata? |
Metadata |
optional metadata to associate with the user |
Promise<User>
info():
Promise<App>
Get information about an app.
Promise<App>
a data object containing app information and the authentication policy
import Passage from '@passageidentity/passage-js';
const passage = new Passage(appId);
await passage.app.info()
.then(data => {
// look at information regarding a particular app
}).catch(e => console.log(e));userExists(
identifier):Promise<User>
Look-up a user and return the user properties if the user exists
| Parameter | Type | Description |
|---|---|---|
identifier |
string |
email address / phone for user |
Promise<User>
The PassageCurrentUser class contains functions to get information about the currently authenticated user.
-
PassageBaseAuthenticated<CurrentuserApi>
new PassageCurrentUser(
instanceConfig,session):PassageCurrentUser
constructor for the CurrentUser class.
| Parameter | Type | Description |
|---|---|---|
instanceConfig |
PassageInstanceConfig |
the config of the current Passage instance |
session |
PassageSession |
- |
PassageBaseAuthenticated<CurrentuserApi>.constructor
addPasskey(
options?):Promise<Credential_2>
addPasskey register a new passkey for the current user.
| Parameter | Type | Description |
|---|---|---|
options? |
PasskeyCreationOptions |
Optional configuration for passkey creation |
Promise<Credential_2>
the new passkey regsitered for the current user.
changeEmail(
newEmail,language?):Promise<MagicLink>
changeEmail initiates an email change for the authenticated user. An email change requires verification, so an email will be sent to the user which they must verify before the email change takes effect.
| Parameter | Type | Description |
|---|---|---|
newEmail |
string |
|
language? |
string |
the language string for localizing emails, if no lanuage or an invalid language is provided the application default lanuage will be used |
Promise<MagicLink>
the magicLink response on success.
changePhone(
newPhone,language?):Promise<MagicLink>
changePhone initiates a phone number change for the authenticated user. An phone number change requires verification, so an SMS with a link will be sent to the user which they must verify before the phone number change takes effect.
| Parameter | Type | Description |
|---|---|---|
newPhone |
string |
|
language? |
string |
the language string for localizing emails, if no lanuage or an invalid language is provided the application default lanuage will be used |
Promise<MagicLink>
the magicLink response on success.
deletePasskey(
passkey):Promise<boolean>
deletePasskey deletes an existing passkey for the current user.
| Parameter | Type | Description |
|---|---|---|
passkey |
Credential_2 |
the passkey to be deleted |
Promise<boolean>
true if the device has been deleted successfully.
deleteSocialConnection(
socialConnectionType):Promise<boolean>
deleteSocialConnection deletes an existing social connection for the current user.
| Parameter | Type | Description |
|---|---|---|
socialConnectionType |
SocialConnection |
the social connection to be deleted |
Promise<boolean>
true if the social connection has been deleted successfully.
editPasskey(
passkeyId,friendlyName):Promise<Credential_2>
editPasskey allows the passkey's friendly name to be changed.
| Parameter | Type | Description |
|---|---|---|
passkeyId |
string |
|
friendlyName |
string |
Promise<Credential_2>
the edited device after applying the requested device attribute changes.
listSocialConnections():
Promise<UserSocialConnections>
listSocialConnections is used to list the current user's social connections.
Promise<UserSocialConnections>
the current social connections and their properties.
metadata():
Promise<Metadata>
getMetadata returns the metadata for the currently authenticated user.
Promise<Metadata>
the current Passage user's info, or undefined if the current Passage user's authentication token could not be validated.
passkeys():
Promise<Credential_2[]>
Get the list of the current users's passkeys.
Promise<Credential_2[]>
the array of passkeys.
updateMetadata(
metadata):Promise<CurrentUser>
updateMetadata updates the metadata for the currentuser. Note that only metadata fields set for the app can be updated.
| Parameter | Type | Description |
|---|---|---|
metadata |
Metadata |
Promise<CurrentUser>
the current user with their newly updated metadata field.
userInfo():
Promise<CurrentUser>
userInfo returns the user information for the currently authenticated user. If the user is not authenticated, an error is thrown.
Promise<CurrentUser>
the current Passage user's info current Passage user's authentication token could not be validated.
PassageMagicLink class contains functions that use magic links for authentication, identitfy verification, and handling identifier changes.
-
PassageBase<MagicLinkApi>
new PassageMagicLink(
instanceConfig):PassageMagicLink
Constructor configuring the PassageMagicLink class' attributes
| Parameter | Type | Description |
|---|---|---|
instanceConfig |
PassageInstanceConfig |
the config of the current Passage instance |
PassageBase<MagicLinkApi>.constructor
activate(
magicLink):Promise<AuthResult>
Activates a magic link. Handles login, registration, identifier verification, and identifier change magic links. Will throw an error if the magic link is invalid, expired, or has already been activated.
| Parameter | Type | Description |
|---|---|---|
magicLink |
string |
The magic link to activate |
Promise<AuthResult>
login(
identifier,language?):Promise<MagicLink>
Creates a new magic link for login. Will throw an error if the user does not exist.
| Parameter | Type | Description |
|---|---|---|
identifier |
string |
The Passage User's identifier |
language? |
string |
the language string for localizing emails, if no lanuage or an invalid language is provided the application default lanuage will be used |
Promise<MagicLink>
MagicLink JSON payload
register(
identifier,language?):Promise<MagicLink>
Create a new magic link for registration. Will throw an error if the user has already logged into their account at least once.
| Parameter | Type | Description |
|---|---|---|
identifier |
string |
The Passage User's identifier |
language? |
string |
the language string for localizing emails, if no lanuage or an invalid language is provided the application default lanuage will be used |
Promise<MagicLink>
MagicLink JSON payload
status(
id):Promise<AuthResult>
Look up a magic link by ID and check if it has been verified. This function is most commonly used to iteratively check if a user has clicked a magic link to login. Once the link has been verified, Passage will return authentication information via this endpoint. This enables cross-device login. This will throw an error if the magic link is not activated.
| Parameter | Type | Description |
|---|---|---|
id |
string |
unique ID for an magic link which is returned by functions that create a magic link |
Promise<AuthResult>
PassageOneTimePasscode class contains functions that use one-time passcodes for authentication.
-
PassageBase<OTPApi>
new PassageOneTimePasscode(
instanceConfig):PassageOneTimePasscode
Constructor configuring the PassageOneTimePasscode class' attributes
| Parameter | Type | Description |
|---|---|---|
instanceConfig |
PassageInstanceConfig |
the config of the current Passage instance |
PassageBase<OTPApi>.constructor
activate(
oneTimePasscode,id):Promise<AuthResult>
Activates a one-time passcode. Handles login and registration one-time passcodes. Will throw an error if the one-time passcode is invalid, expired, or has already been activated.
| Parameter | Type | Description |
|---|---|---|
oneTimePasscode |
string |
The one-time passcode provided by the user from their email or text message. |
id |
string |
The id associated with the one-time passcode. |
Promise<AuthResult>
login(
identifier,language?):Promise<OneTimePasscodeResponse>
Create a new one-time passcode for login. Will throw an error if the user does not exist.
| Parameter | Type | Description |
|---|---|---|
identifier |
string |
The Passage User's identifier |
language? |
string |
the language string for localizing emails, if no lanuage or an invalid language is provided the application default lanuage will be used |
Promise<OneTimePasscodeResponse>
One-time passcode object
register(
identifier,language?):Promise<OneTimePasscodeResponse>
Create a new one-time passcode for registration. Will throw an error if the user has already logged into their account at least once.
| Parameter | Type | Description |
|---|---|---|
identifier |
string |
The Passage User's identifier |
language? |
string |
the language string for localizing emails, if no lanuage or an invalid language is provided the application default lanuage will be used |
Promise<OneTimePasscodeResponse>
One-time passcode object
PassagePasskey class contains functions that use passkeys for authentication and utilities to help with passkey UX decisions.
new PassagePasskey(
instanceConfig,app):PassagePasskey
Constructor configuring the Passkey class' attributes
| Parameter | Type | Description |
|---|---|---|
instanceConfig |
PassageInstanceConfig |
the config of the current Passage instance |
app |
PassageApp |
- |
checkPasskeyOrigin():
Promise<boolean>
Checks if an application's auth origin matches the current origin on an end user's browser. If this function returns false, passkeys will not work properly on this domain.
Promise<boolean>
createCredentialAvailable():
Promise<ICreateCredentialFeatures>
Uses information about the user's current browser to determine what features are availble for creating credentials via WebAuthn. NOTE: Do not call this from an event handler where navigator.get or navigator.create is invoked or it will break the required user gesture on iOS web browsers.
Promise<ICreateCredentialFeatures>
The set of features supported by the browser.
getCredentialAvailable():
Promise<IGetCredentialFeatures>
Uses information about the user's current browser to determine what features are availble for getting credentials via WebAuthn. NOTE: Do not call this from an event handler where navigator.get or navigator.create is invoked or it will break the required user gesture on iOS web browsers.
Promise<IGetCredentialFeatures>
The set of features supported by the browser.
hasLocalPasskey(
userId):boolean
Checks to see if the user has any platform passkeys. This happens by checking to see if we have the userID and an associated passkey credential stored in localStorage via the key psg_cred_obj.
| Parameter | Type | Description |
|---|---|---|
userId |
string |
the Passage User's userID |
boolean
returns true if psg_cred_obj exists in localstorage, false if not
login(
identifier?,options?):Promise<AuthResult>
Logs in an existing user with a passkey. Will throw an error if the user does not exist, has no passkeys, or if the operation is cancelled with an abort signal. If no identifier is provided, the user will be prompted to select an identifier, formally known as WebAuthn discoverable credentials. If implementing passkey autocomplete, formally known as WebAuthn conditional mediation, no identifier should be provided and the isConditionalMediation option should be set to true.
| Parameter | Type | Description |
|---|---|---|
identifier? |
string |
|
options? |
PasskeyLoginOptions |
Promise<AuthResult>
The authentication token, redirect URL, and refresh token, if configured for the application.
register(
identifier,options?):Promise<AuthResult>
Registers a new user with a passkey. Will throw an error if the user has already logged into their account at lesst once.
| Parameter | Type | Description |
|---|---|---|
identifier |
string |
|
options? |
PasskeyCreationOptions |
Promise<AuthResult>
The authentication token, redirect URL, and refresh token, if configured for the application.
The PassageSession class used to manage Passage sessions using refresh tokens.
-
PassageBase<TokensApi>
new PassageSession(
instanceConfig):PassageSession
Constructor configuring the PassageOneTimePasscode class' attributes
| Parameter | Type | Description |
|---|---|---|
instanceConfig |
PassageInstanceConfig |
the config of the current Passage instance |
PassageBase<TokensApi>.constructor
authGuard():
Promise<boolean>
authGuard checks if the current user has a JWT that is valid and potentially verifiable. IMPORTANT: this is not verifying the JWT, it is only checking if the JWT is formatted properly.
Promise<boolean>
true if the user has a valid (but unverified) JWT, false if not.
getAuthToken():
Promise<string>
getAuthToken gets the current authToken for the currently authenticated user.
Promise<string>
returns the user's authToken if it exists or fetches a new one with a refresh token if it exists
refresh():
Promise<AuthResult>
refresh gets and saves a new authToken for the currently authenticated user using their refresh token
Promise<AuthResult>
returns the user's authToken if successful
signOut():
Promise<boolean>
Sign out a user by deleting their AuthToken from local storage and revoking their refresh token.
Promise<boolean>
true if the device has been deleted successfully.
PassageSocial class contains functions that use social providers for authentication.
-
PassageBase<OAuth2Api>
new PassageSocial(
instanceConfig):PassageSocial
Constructor configuring the PassageSocial class' attributes
| Parameter | Type | Description |
|---|---|---|
instanceConfig |
PassageInstanceConfig |
the config of the current Passage instance |
PassageBase<OAuth2Api>.constructor
authorize(
connection):Promise<void>
Initiates authorization via a supported third-party social provider. This must be run from a secure context (HTTPS or localhost).
| Parameter | Type | Description |
|---|---|---|
connection |
SocialConnection |
The social connection to use for login. |
Promise<void>
finish(
code):Promise<AuthResult>
Finishes a social login by exchanging the social login provider code for Passage tokens.
| Parameter | Type | Description |
|---|---|---|
code |
string |
The code returned from the social login provider |
Promise<AuthResult>
PassageTokenStore class provides the Passage default token storage mechanism. The auth token is stored in localStorage and cookies. The refresh token is stored in localStorage only.
new PassageTokenStore():
PassageTokenStore
clearTokens():
Promise<void>
Clears the auth token from localstorage and cookies and refresh token from localstorage
Promise<void>
getAuthToken():
Promise<string>
Gets the current auth token
Promise<string>
The current auth token
getRefreshToken():
Promise<undefined|string>
Gets the current refresh token
Promise<undefined | string>
The current refresh token
setTokens(
authResult):Promise<void>
Sets the auth token and refresh token, if used
| Parameter | Type | Description |
|---|---|---|
authResult |
AuthResult |
Promise<void>
Base class for implementing read-only token stores. getAuthToken() is the only required function to implement. If a Passage object is built with a read-only token store it will not handle any token storage.
new ReadOnlyTokenStore():
ReadOnlyTokenStore
abstractgetAuthToken():Promise<string>
This method returns a token to be used for authenticated operations on the User class.
Promise<string>
Passage-issued JWT
getRefreshToken():
Promise<undefined|string>
This method retrieves a Passage refresh token from storage for use with the Session class for refreshing Passage sessions. If this method returns undefined then Session will not handle any refresh token logic.
Promise<undefined | string>
refresh token, or undefined if not using refresh tokens.
Base class for implementing full read-write token stores.
new TokenStore():
TokenStore
ReadOnlyTokenStore.constructor
clearTokens():
Promise<void>
This method is responsible for clearing tokens from storage when a sign-out operation is executed on the Session class.
Promise<void>
abstractgetAuthToken():Promise<string>
This method returns a token to be used for authenticated operations on the User class.
Promise<string>
Passage-issued JWT
ReadOnlyTokenStore.getAuthToken
getRefreshToken():
Promise<undefined|string>
This method retrieves a Passage refresh token from storage for use with the Session class for refreshing Passage sessions. If this method returns undefined then Session will not handle any refresh token logic.
Promise<undefined | string>
refresh token, or undefined if not using refresh tokens.
ReadOnlyTokenStore.getRefreshToken
abstractsetTokens(authResult):Promise<void>
This method is responsible for hanlding the storage of Passage-issued JWTs and refresh tokens.
| Parameter | Type | Description |
|---|---|---|
authResult |
AuthResult |
The authResult object returned from Passage Login, Register, Magic Link, and token refresh operations. |
Promise<void>
[key: string]: boolean | string | number
| Property | Type | Description |
|---|---|---|
tokenStore? |
ReadOnlyTokenStore | TokenStore
|
A custom TokenStore implementation that handles custom management of tokens |
| Property | Type |
|---|---|
abortSignal? |
AbortSignal |
isConditionalMediation? |
boolean |
| Enumeration Member | Value |
|---|---|
both |
"both" |
email |
"email" |
phone |
"phone" |
| Enumeration Member | Value |
|---|---|
Both |
"both" |
Either |
"either" |
Email |
"email" |
Phone |
"phone" |
| Enumeration Member | Value |
|---|---|
Apple |
"apple" |
Github |
"github" |
Google |
"google" |
| Enumeration Member | Value |
|---|---|
BOOLEAN |
"boolean" |
DATE |
"date" |
EMAIL |
"email" |
INTEGER |
"integer" |
PHONE |
"phone" |
STRING |
"string" |
isFullTokenStore(
store):store is TokenStore
| Parameter | Type |
|---|---|
store |
ReadOnlyTokenStore | TokenStore
|
store is TokenStore
OneTimePasscode:
OneTimePasscodeResponse
PassageAppInfo:
App
Passkey:
Credential
PublicUserInfo:
User
UserSocialConnection:
AppleSocialConnection|GithubSocialConnection|GoogleSocialConnection