Your backend still owns the normal WebAuthn ceremony.
- generate registration and authentication challenges
- verify attestation and assertion responses
- enforce relying-party ID and challenge validation
- store credentials and counters the same way you would for a browser flow
What stays the same
- On the web, the plugin forwards to the real browser WebAuthn API.
- On native Capacitor, it returns browser-like credential objects backed by native passkey APIs.
- Your backend can keep the same challenge and verification pipeline.
What changes on Android
- Digital Asset Links let Android share the same relying party and credential ecosystem as your website.
- The literal
clientDataJSON.originvalue can still differ from the website origin. - If your server rejects anything except
https://your-domain, Android native assertions can fail even when the passkey is otherwise valid.
Recommended backend rule
Allow the expected browser origin and the expected Android app origin for the same relying party when you support native Android passkeys.
If you need direct JSON-safe calls
import { CapacitorPasskey } from '@capgo/capacitor-passkey';
const registration = await CapacitorPasskey.createCredential({
origin: 'https://signin.example.com',
publicKey: registrationOptionsFromBackend,
});
const authentication = await CapacitorPasskey.getCredential({
origin: 'https://signin.example.com',
publicKey: requestOptionsFromBackend,
});