Based on the information provided in the knowledge sources, it appears that the

passkey

strategy is a relatively new addition to Ory Kratos. The issue you're experiencing might be related to configuration or version compatibility. Here are some steps you can take to address this: 1. Ensure you're using the latest version of Ory Kratos that supports the passkey strategy. The [Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api) shows that

passkey

is included as a valid credential type. 2. Double-check your configuration. Make sure the passkey strategy is properly enabled in your Kratos configuration file. According to the [Ory documentation on passkeys](https://www.ory.sh/docs/kratos/passwordless/passkeys#passkeys-with-the-dedicated-passkey-strategy), you should have something like this in your `config.yml`:

yaml    selfservice:      methods:        passkey:          enabled: true          config:            rp:              display_name: Your Application name              id: localhost              origins:                - <http://localhost:4455>

3. Verify that your identity schema includes the necessary configuration for passkeys. As mentioned in the [Ory documentation on identity schemas](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#passkey-display-name), you should have a field in your schema with the following extension:

json    {      "<http://ory.sh/kratos|ory.sh/kratos>": {        "credentials": {          "passkey": {            "display_name": true          }        }      }    }

4. If you've made these changes and are still experiencing issues, you may need to clear any cached configurations or restart your Kratos instance to ensure the new settings take effect. 5. If the problem persists, it might be worth checking the Kratos logs for any error messages or warnings related to the passkey configuration. If after trying these steps you're still unable to see the passkey option in the

createNativeRegistrationFlow

response, it's possible there might be a bug or limitation in the current version of Kratos you're using. In that case, you may want to reach out to the Ory community or support channels for further assistance.

@chilly-king-10285 can you explain this identity schema: { "$id": "https://schemas.ory.sh/presets/kratos/identity.email.schema.json", "title": "Person", "type": "object", "properties": { "traits": { "type": "object", "properties": { "phone": { "title": "Phone", "type": "string", "format": "tel", "ory.sh/kratos": { "credentials": { "password": { "identifier": true } } } }, "email": { "type": "string", "format": "email", "title": "E-Mail", "ory.sh/kratos": { "credentials": { "password": { "identifier": true }, "webauthn": { "identifier": true }, "totp": { "account_name": true } }, "recovery": { "via": "email" }, "verification": { "via": "email" } }, "maxLength": 320 } }, "onboarding": { "type": "string", "title": "How far along is the user into the onboarding process." }, "onboarding_errors": { "type": "object", "title": "Alpaca account creation errors" }, "required": [ "email", "phone" ] } }, "$schema": "http://json-schema.org/draft-07/schema#" }

This identity schema defines the structure and properties of a user's identity in the Ory Kratos system. Let me break it down for you: 1. Schema Metadata: - `$id`: Unique identifier for this schema - `title`: "Person" - `type`: "object" - `$schema`: Specifies the JSON Schema version used 2. Main Properties: The schema has a single top-level property called "traits", which is an object containing user attributes. 3. Traits: The "traits" object has the following properties: a. Phone: - Type: string - Format: telephone number - Can be used as an identifier for password authentication [Identity Schema Extensions](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#password-login-identifier) b. Email: - Type: string - Format: email - Maximum length: 320 characters - Can be used as an identifier for password, WebAuthn, and TOTP authentication - Used for account recovery and verification [Identity Schema Extensions](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#password-login-identifier) c. Onboarding: - Type: string - Represents the user's progress in the onboarding process d. Onboarding_errors: - Type: object - Stores errors related to Alpaca account creation 4. Required Fields: Both "email" and "phone" are required fields in this schema. This schema allows for multiple authentication methods: - Password authentication using either phone or email as the identifier - WebAuthn (passwordless) authentication using email as the identifier - Time-based One-Time Password (TOTP) using email as the account name [Multiple Identifiers](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#multiple-identifiers) It also enables email-based account recovery and verification processes. The schema includes custom fields for tracking onboarding progress and errors, which are specific to your application's needs and not part of the standard Ory Kratos fields. Note that while the schema includes a phone field, it's not configured for SMS-based authentication or verification in this particular schema. If you want to enable SMS-based features, you would need to add the appropriate configurations to the phone field, similar to how the email field is set up for various authentication methods.

Certainly! I'll modify the schema to include optional authentication with passkeys. Here's the updated schema with passkey support added:

json
{
  "$id": "<https://schemas.ory.sh/presets/kratos/identity.email.schema.json>",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "phone": {
          "title": "Phone",
          "type": "string",
          "format": "tel",
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              }
            }
          }
        },
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "<http://ory.sh/kratos|ory.sh/kratos>": {
            "credentials": {
              "password": {
                "identifier": true
              },
              "webauthn": {
                "identifier": true
              },
              "totp": {
                "account_name": true
              },
              "passkey": {
                "display_name": true
              }
            },
            "recovery": {
              "via": "email"
            },
            "verification": {
              "via": "email"
            }
          },
          "maxLength": 320
        }
      },
      "onboarding": {
        "type": "string",
        "title": "How far along is the user into the onboarding process."
      },
      "onboarding_errors": {
        "type": "object",
        "title": "Alpaca account creation errors"
      },
      "required": [
        "email",
        "phone"
      ]
    }
  },
  "$schema": "<http://json-schema.org/draft-07/schema#>"
}

The main change to enable passkey authentication is the addition of the

passkey

field under the

email

property's

<http://ory.sh/kratos.credentials|ory.sh/kratos.credentials>

section:

json
"passkey": {
  "display_name": true
}

This modification allows the email to be used as the display name for passkeys, enabling passkey authentication as an optional method alongside the existing password, WebAuthn, and TOTP methods [Passkey Display Name](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#passkey-display-name). Remember that in addition to updating the identity schema, you'll need to ensure that passkey authentication is enabled in your Ory Kratos configuration. You can do this by adding the following to your

config.yml

file [Passkeys Configuration](https://www.ory.sh/docs/kratos/passwordless/passkeys#passkeys-with-the-dedicated-passkey-strategy):

yaml
selfservice:
  methods:
    passkey:
      enabled: true
      config:
        rp:
          display_name: Your Application name
          id: localhost
          origins:
            - <http://localhost:4455>

Make sure to replace the

display_name

,

id

, and

origins

values with those appropriate for your application.

Certainly! I'll modify the schema to include optional authentication with passkeys. Here's the updated schema with passkey support added:

json {   "$id": "<https://schemas.ory.sh/presets/kratos/identity.email.schema.json>",   "title": "Person",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "phone": {           "title": "Phone",           "type": "string",           "format": "tel",           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "password": {                 "identifier": true               }             }           }         },         "email": {           "type": "string",           "format": "email",           "title": "E-Mail",           "<http://ory.sh/kratos|ory.sh/kratos>": {             "credentials": {               "password": {                 "identifier": true               },               "webauthn": {                 "identifier": true               },               "totp": {                 "account_name": true               },               "passkey": {                 "display_name": true               }             },             "recovery": {               "via": "email"             },             "verification": {               "via": "email"             }           },           "maxLength": 320         }       },       "onboarding": {         "type": "string",         "title": "How far along is the user into the onboarding process."       },       "onboarding_errors": {         "type": "object",         "title": "Alpaca account creation errors"       },       "required": [         "email",         "phone"       ]     }   },   "$schema": "<http://json-schema.org/draft-07/schema#>" }

The main change to enable passkey authentication is the addition of the

passkey

field under the

email

property's

<http://ory.sh/kratos.credentials|ory.sh/kratos.credentials>

section:

json "passkey": {   "display_name": true }

This modification allows the email to be used as the display name for passkeys, enabling passkey authentication as an optional method alongside the existing password, WebAuthn, and TOTP methods [Passkey Display Name](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#passkey-display-name). Remember that in addition to updating the identity schema, you'll need to ensure that passkey authentication is enabled in your Ory Kratos configuration. You can do this by adding the following to your

config.yml

file [Passkeys Configuration](https://www.ory.sh/docs/kratos/passwordless/passkeys#passkeys-with-the-dedicated-passkey-strategy):

yaml selfservice:   methods:     passkey:       enabled: true       config:         rp:           display_name: Your Application name           id: localhost           origins:             - <http://localhost:4455>

Make sure to replace the

display_name

,

id

, and

origins

values with those appropriate for your application. With these changes, your schema now supports optional authentication with passkeys, while maintaining the existing authentication methods and required fields.

To retrieve the passkey challenge from the registration API in Ory Kratos, you need to follow these steps: 1. First, initiate a registration flow by calling the

createNativeRegistrationFlow

or

createBrowserRegistrationFlow

endpoint, depending on your application type. 2. In the response from this API call, you'll receive a

registrationFlow

object. This object contains a

ui

property with an array of

nodes

. 3. Look for a node with

node_type

set to "input" and

type

set to "hidden". This node should have an

name

attribute set to "passkey_register". 4. The

value

of this node will contain the passkey challenge data you need to initiate the passkey registration process on the client side. Here's an example of what you might look for in the API response:

json {   "ui": {     "nodes": [       {         "type": "input",         "group": "passkey",         "attributes": {           "name": "passkey_register",           "type": "hidden",           "value": "{\"challenge\":\"base64-encoded-challenge-data\", ...}"         },         "node_type": "input"       }       // ... other nodes     ]   }   // ... other properties }

The

value

field of this node will contain a JSON string with the challenge data needed for passkey registration. It's important to note that the exact structure and presence of this node depend on your configuration and whether passkey registration is enabled and available for the current flow. If you're not seeing this node in your API response, make sure that: 1. Passkey authentication is properly enabled in your Kratos configuration. 2. Your identity schema includes the passkey configuration as shown in the previous answer. 3. You're using a recent version of Ory Kratos that supports passkeys. For more detailed information on working with registration flows and parsing the UI nodes, you can refer to the [Ory Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api).

Based on the information provided in the knowledge sources and our previous conversation, if you're not seeing the passkey group in your response, there are a few things you can check and fix: 1. Ensure Passkey is Enabled: Make sure you have enabled the passkey method in your Ory Kratos configuration. As mentioned in the [Ory documentation on passkeys](https://www.ory.sh/docs/kratos/passwordless/passkeys#passkeys-with-the-dedicated-passkey-strategy), you should have the following in your `config.yml`:

yaml    selfservice:      methods:        passkey:          enabled: true          config:            rp:              display_name: Your Application name              id: localhost              origins:                - <http://localhost:4455>

2. Update Identity Schema: Ensure your identity schema includes the passkey configuration. In the traits section of your schema, you should have something like this:

json    "email": {      "type": "string",      "format": "email",      "title": "E-Mail",      "<http://ory.sh/kratos|ory.sh/kratos>": {        "credentials": {          "passkey": {            "display_name": true          }        }      }    }

3. Check Kratos Version: Ensure you're using a version of Ory Kratos that supports passkeys. The passkey feature is relatively new, so you might need to update to the latest version. 4. Clear Cache and Restart: After making changes to your configuration or schema, try clearing any cached configurations and restart your Kratos instance. 5. Check for Errors: Look at your Kratos logs for any error messages or warnings related to the passkey configuration. 6. Verify API Call: Make sure you're calling the correct API endpoint for registration flow creation. The passkey option should appear in the response of

createNativeRegistrationFlow

or

createBrowserRegistrationFlow

. 7. Check Browser Compatibility: If you're testing in a browser environment, ensure that the browser supports the WebAuthn API, which is required for passkeys. If you've checked all these points and are still not seeing the passkey group in your response, it's possible there might be a bug or limitation in the current version of Kratos you're using. In that case, you may want to [open a discussion on the Ory Kratos GitHub repository](https://github.com/ory/kratos/discussions) or reach out to Ory support for further assistance. Remember, the passkey feature is still relatively new in Ory Kratos, so make sure you're using the most up-to-date documentation and version of the software.

I apologize, but I don't have specific information about which version of Ory Kratos first introduced support for passkeys. The knowledge sources provided don't contain a clear version number or release date for this feature. However, based on the information available, we can infer that passkeys are a relatively recent addition to Ory Kratos. The [documentation on passkeys](https://www.ory.sh/docs/kratos/passwordless/passkeys) mentions that it's a new feature, and there are instructions on how to configure and use it. To find out exactly which version introduced passkeys, I would recommend: 1. Checking the Ory Kratos release notes or changelog on their GitHub repository. 2. Using the latest stable version of Ory Kratos, which should include passkey support. 3. Contacting Ory support or posting a question in their community forums for the most up-to-date information. If you're currently using an older version of Ory Kratos and want to use passkeys, it would be advisable to upgrade to the latest stable release to ensure you have access to this feature.