Laravel’s New Passkeys Package Simplifies Passwordless Auth Setup

Laravel developers no longer need third-party packages or manual WebAuthn setups to implement passkey authentication. The framework’s official laravel/passkeys package, released in April 2026, delivers a streamlined solution for passwordless logins with minimal configuration. Built by Taylor Otwell and integrated with Laravel’s ecosystem, the package reduces setup time while maintaining enterprise-grade security standards.

A Three-Part Ecosystem for Effortless Passkey Integration

The laravel/passkeys package operates as a cohesive three-component system, each handling a critical layer of the authentication process. The server-side Composer package manages WebAuthn ceremonies, credential storage, and route configuration. It automatically creates a passkeys database table and provides hooks for custom authorization logic.

On the client side, the @laravel/passkeys npm package simplifies browser interactions. It offers first-class support for React, Vue, and Svelte with server-side rendering (SSR) compatibility. Developers interact with just two core methods: Passkeys.register() for credential creation and Passkeys.verify() for authentication.

For teams using Laravel Fortify, integration is seamless. A single line in the Features array enables passkey support, leveraging existing endpoints and contracts. This approach ensures no additional glue code is required, preserving established security policies and authorization gates.

Step-by-Step Setup for Passkey Authentication

Getting started with laravel/passkeys requires just a few commands. Begin by installing the Composer package:

composer require laravel/passkeys

Next, publish and run the migrations to generate the passkeys table:

php artisan vendor:publish --tag=passkeys-migrations
php artisan migrate

A critical security step involves creating a user handle secret in your .env file. This prevents passkey associations from being exposed, even if user IDs are sequential:

PASSKEYS_USER_HANDLE_SECRET=your-secure-random-string-here

Generate a secure secret using Laravel’s built-in command:

php artisan key:generate --show

While the package defaults to using APP_KEY if no secret is set, maintaining a separate value is recommended for long-term stability—especially if you plan to rotate application keys.

Customizing the User Model for Passkey Support

The User model requires minimal adjustments to support passkey authentication. Add the PasskeyUser contract and PasskeyAuthenticatable trait:

<?php

namespace App\Models;

use Illuminate\Foundation\Auth\User as Authenticatable;
use Laravel\Passkeys\Contracts\PasskeyUser;
use Laravel\Passkeys\PasskeyAuthenticatable;

class User extends Authenticatable implements PasskeyUser
{
    use PasskeyAuthenticatable;
    // Existing model code...
}

The package assumes your users table includes name and email columns, which authenticators display during registration. Default fallbacks prioritize name, then email, and finally the user identifier. To override these values, implement custom methods on your model:

public function getPasskeyDisplayName(): string
{
    return $this->full_name ?? $this->email;
}

public function getPasskeyUsername(): string
{
    return $this->email;
}

This approach eliminates the need for additional migrations or pivot tables, as the passkeys table manages credential storage and relationships automatically.

Fortify Integration: Zero-Config Passkey Authentication

Teams already using Laravel Fortify can enable passkey support with a single configuration change. Add Features::passkeys() to your features array in the Fortify configuration file:

use Laravel\Fortify\Features;

'features' => [
    Features::registration(),
    Features::resetPasswords(),
    Features::emailVerification(),
    Features::passkeys(), // Enables passkey authentication
],

Fortify handles endpoint registration and contract wiring internally, ensuring existing authorization policies remain unchanged. Passkeys replace only the authentication step, preserving your application’s security posture without disrupting workflows.

Key Configuration Settings for Optimal Security

Publishing the package’s config file reveals several critical settings:

return [
    'relying_party_id' => parse_url(config('app.url'), PHP_URL_HOST),
    'allowed_origins' => [config('app.url')],
    'user_handle_secret' => env('PASSKEYS_USER_HANDLE_SECRET', config('app.key')),
    'timeout' => 60000,
    'guard' => 'web',
    'middleware' => ['web'],
    'management_middleware' => ['password.confirm'],
    'throttle' => 'throttle:6,1',
    'redirect' => '/',
];

The relying_party_id must match the domain users access during authentication. Mismatches between this value and the actual domain will cause ceremonies to fail. Ensure APP_URL reflects your production domain, particularly in local development environments.

The management_middleware setting defaults to password.confirm, requiring users to re-enter their password before adding or revoking passkeys. This friction is intentional and critical for preventing unauthorized credential changes.

The Future of Passwordless Auth in Laravel

The laravel/passkeys package represents a significant leap forward for Laravel developers seeking to implement modern authentication. By consolidating server, client, and Fortify integrations into a single ecosystem, the package reduces complexity without compromising security. While still in early release (v0.1.0), its adoption in Laravel’s starter kits and Fortify’s production environments signals strong stability.

As passkey adoption grows, developers can expect further refinements to the package’s API and documentation. For now, teams looking to modernize authentication workflows have a reliable, first-party solution ready for immediate deployment.