Skip to main content

Overview

This guide shows how to implement passkey authentication in a Flutter app using turnkey_sdk_flutter. You’ll add the necessary platform configuration, set up the provider with a proper rpId, and call signUpWithPasskey and loginWithPasskey from your UI.

Passkey setup (platform)

Passkeys require an Relying Party ID (rpId) that matches a domain you control and a verified association between your app and that domain.

iOS — Associated Domains

  1. Enable the entitlement in Xcode for your iOS target:
    • Select your app target → Signing & Capabilities+ CapabilityAssociated Domains.
    • Add an entry: webcredentials:yourdomain.com (replace with your domain).
  2. Entitlements file (if editing manually): ios/Runner/Runner.entitlements
ios/Runner/Runner.entitlements
Ensure your provisioning profile includes Associated Domains. The domain must serve a valid Apple App Site Association (AASA) file.
  1. AASA file hosted by your domain at https://yourdomain.com/.well-known/apple-app-site-association. The file should include your app’s team/app identifiers. Refer to Apple’s documentation for the exact structure.
  1. Host a Digital Asset Links statement at: https://yourdomain.com/.well-known/assetlinks.json
  2. Include your app’s package name and signing certificate SHA‑256 fingerprint.
public/.well-known/assetlinks.json
Make sure the file is served with Content-Type: application/json and no redirects.

Provider configuration

Set passkeyConfig.rpId to the domain you associated above (e.g., yourdomain.com). This must match the iOS/Android domain setup.
lib/main.dart

Usage

Below are minimal examples to sign up and log in with passkeys.

Sign up with passkey

lib/screens/login.dart

Log in with passkey

lib/screens/login.dart

Tips

  • rpId must match the domain configured in your platform setup, otherwise passkey operations will fail.
  • iOS: confirm your build includes Associated Domains and the AASA file is reachable.
  • Android: confirm assetlinks.json is valid and your app’s package name + signing certificate fingerprint are correct.
  • Consider setting a dynamic display name for passkeys on sign-up so users can identify authenticators later.