PlainKey is a European passkey service built for developers who want to add passkeys without the complexity. If you want to know the full story, read the about page.
What is a passkey?
A passkey lets a user authenticate with a fingerprint, face scan, PIN, or security key. Users choose themselves how to store their passkey - like in a password manager of their choice or on a physical security key.
A passkey is bound to a specific domain, so phishing sites cannot use it. There are no passwords to steal if a server is breached.
Passkeys are built on WebAuthn, which all modern browsers and platforms support.
Passkeys work for sign-in, as a second factor (2FA/MFA), or to verify a user before a sensitive action.
Implementing WebAuthn yourself
There are good open source libraries that handle the low-level cryptography, but there is still significant work around them. You need to manage short-lived challenges, persist credentials against your users, wire up registration and authentication flows, and handle browser compatibility edge cases. You should also understand the protocol well enough to use the library correctly and debug failures when they happen.
All this takes time you might want to spend on building your product instead. And getting any of this wrong can introduce security vulnerabilities.
Using PlainKey
You integrate with PlainKey via the npm package @plainkey/browser in the frontend, and the npm package @plainkey/server in your backend. If you do not use Node.js for your backend, you can also call the REST API from your backend.
The APIs and SDKs are designed with two main goals in mind: simplicity and security.
The docs cover the full integration in more detail. Browser-side, authenticating a user essentially looks like this:
import { PlainKey } from "@plainkey/browser";
const plainKey = new PlainKey("YOUR_PROJECT_ID");
const { data, error } = await plainKey.authenticate();
You can use PlainKey as your primary authentication or add it to an existing auth system. Either way, it does not replace your user database or session handling. You receive a signed authentication token; your server verifies it with the server SDK or API and creates a session as normal.
PlainKey handles credential storage, challenge generation, signature verification, key management, and authenticator metadata, and provides you with an admin dashboard. You handle your UI, a few SDK calls or API requests, and your own user and session logic.
PlainKey stores only the data required for passkey management. You can even opt not to send usernames or email addresses to PlainKey at all.
What if I use PlainKey for a while and then want to migrate to my own infrastructure?
You can. The passkeys created using PlainKey are scoped to your domain, meaning they will work just fine no matter where the credential data is stored. If you decide to leave, contact support and PlainKey will export all the necessary data. A fee may apply. Identity verification is required before any export. The credential data is yours to keep, but you would be taking on the implementation work.
Read the getting started guide or try the demo.