Getting Started

1. Install the package

bun add @capgo/capacitor-passkey
bunx cap sync

2. Add the plugin config

The plugin reads its setup from plugins.CapacitorPasskey in your Capacitor config.

import type { CapacitorConfig } from '@capacitor/cli';

const config: CapacitorConfig = {
  appId: 'app.capgo.passkey.example',
  appName: 'My App',
  webDir: 'dist',
  plugins: {
    CapacitorPasskey: {
      origin: 'https://signin.example.com',
      autoShim: true,
      domains: ['signin.example.com'],
    },
  },
};

export default config;

After changing the config, sync again:

bunx cap sync

3. Import the shim once

import '@capgo/capacitor-passkey/auto';

After that import is in your app bootstrap, native Capacitor builds can keep using the browser-style WebAuthn entry points instead of rewriting your app around a custom passkey API.

4. Keep your existing WebAuthn flow

const registration = await navigator.credentials.create({
  publicKey: registrationOptions,
});

const authentication = await navigator.credentials.get({
  publicKey: requestOptions,
});

What the config does

origin: primary HTTPS relying-party origin used by the shim and the direct plugin API
domains: hostnames that the sync hook patches into native platform config
autoShim: enables automatic browser-style shim installation when you use @capgo/capacitor-passkey/auto

What sync patches for you

iOS: associated domains entitlements and Xcode entitlements wiring when needed
Android: asset_statements metadata and the generated string resource referenced by the manifest

The sync hook does not publish the website trust files for you. You still need the relying-party domain to serve the correct files.

iOS setup

Associated Domains and apple-app-site-association.

Android setup

Digital Asset Links and assetlinks.json.

Backend notes

Origin validation and Android-specific behavior.