Building a Svelte Passkey Login Page

Looking for a dev-focused passkey reference? Download our Passkeys Cheat Sheet. Trusted by dev teams at Ally, Stanford CS & more.

Get Cheat Sheet

In this blog post, we'll be walking through the process of building a sample application with passkey authentication using Svelte. We'll cover how to embed the Corbado UI component and implement passkey login functionality for a seamless user experience.

If you want to see the finished code, please have a look at our sample application GitHub repository:

The result looks as follows:

This tutorial assumes basic familiarity with Svelte, HTML, CSS and JavaScript. Lets dive in! Moreover, you need to have Node and NPM installed on your machine.

Lets first discuss the structure of our project (full GitHub repo):

.
├── .env
├── package.json
└── src
    ├── app.html
    └── routes
        ├── +layout.svelte
        ├── +layout.server.ts
        ├── +page.svelte
        └── profile
            └── +page.svelte

The rest of the files of this project can be ignored for the purpose of this tutorial.

In the following, we explain step-by-step what needs to be done to successfully set up the Svelte project.

Lets start out by initializing a new Svelte project. In this tutorial, were using Svelte version 4.2.7:

npm create svelte@latest example-passkeys-svelte

In the installation guide steps, we select the following (if youre asked to install or update the create-svelte package, click Yes to proceed):

• App template: Skeleton project
• Type checking with TypeScript: We're using TypeScript here, but feel free to choose whatever you prefer
• Additional options: We're using ESLint and Prettier

If you're asked to proceed click "Yes"

cd example-passkeys-svelte

Let's also install the Corbado web-js dependency:

npm i @corbado/web-js

Optionally, you can also install the Corbado web-js types for an enhanced typescript experience:

npm i -D @corbado/types

If you run

npm install

and

npm run dev

the sample Svelte skeleton application starts at http://localhost:5173:

Visit the Corbado developer panel to sign up and create your account (you'll see the passkey sign-up in action here!).

In the project setup wizard, begin by selecting an appropriate name for your project. For the product selection, opt for "Corbado Complete". Subsequently, specify your technology stack and select "DEV along with "Corbado session management" options. Afterwards, you'll get more foundational setup guidance.

Next, choose "Web app" as an application type and Svelte as your framework. In the application settings, define your application url and relying party id as follows:

• Application URL: Provide the URL where you embedded the UI component, here: http://localhost:5173.
• Relying Party ID: Provide the domain (no protocol, no port and no path) where passkeys should be bound to, here: localhost

Lastly, retrieve your project ID from the developer panel and store it in your environment file. You can find it here under Corbado API access.

Your environment file should look like this:

VITE_CORBADO_PROJECT_ID=<your-project-id>

You'll need it later to embed the Corbado UI component in your Svelte app.

Now, lets jump back to the code we created from step 4.

First, we'll disable ssr as that's currently not supported by the Corbado web-js package, but we're working on it ;)

We'll do that by creating a +layout.server.ts file with the following content:

export const ssr = false;

Then, we'll create our outer layout which will handle the initialization of our Corbado project. It acts as a boundary that only renders the rest of the app once the Corbado project is initialized.

<script lang="ts">
    import Corbado from "@corbado/web-js";
    import {onMount} from "svelte";
    const PROJECT_ID = import.meta.env.VITE_CORBADO_PROJECT_ID;
 
    let isInitialized = false;
    onMount(async () => {
        await Corbado.load({
            projectId: PROJECT_ID,
            darkMode: 'off'
        });
        isInitialized = true; // Set to true once Corbado is initialized
    });
</script>
 
<div>
    {#if isInitialized}
        <slot></slot>
    {/if}
</div>

Next, we modify the home page. The home page is the file in src/routes/+page.svelte. This file contains the sign up / login UI component and navigates to /profile once the user is authenticated.

<script lang="ts">
    import Corbado from '@corbado/web-js';
    import {onMount} from 'svelte';
 
    let authElement: HTMLDivElement;
 
    onMount(() => {
        Corbado.mountAuthUI(
            authElement, {
                onLoggedIn: () => window.location.href = "/profile",
            })
    })
</script>
 
<div bind:this={authElement}></div>

Lastly, let's create the profile page under /profile. This page will show the user's name and user ID and provide a button to log out. If the user isn't logged in, we'll display a link back to the homepage.

<script lang="ts">
    import Corbado from "@corbado/web-js";
    import {onMount} from "svelte";
 
    let user: SessionUser | undefined;
 
    onMount(() => {
        user = Corbado.user
    })
 
    async function handleLogout() {
        await Corbado.logout()
        window.location.href = "/"
    }
</script>
 
<div>
    {#if (user)}
        <h1>
            Profile Page
        </h1>
        <p>
            User-id: {user.sub}
        </p>
        <p>
            Name: {user.name}
        </p>
        <button on:click={handleLogout}>
            Logout
        </button>
    {:else}
        <h1>
            You aren't logged in.
        </h1>
        <p>Go <a href="/">Home</a></p>
    {/if}
</div>

This page has content that should only be visible to authenticated users. Therefore, we use Corbado session management in the code above.

If everything is set up and installed, run the application with

npm run dev

You should see the following screen:

After successful sign up / login, you see the profile page:

This tutorial showed how easy it is to add passwordless authentication with passkeys to a Svelte app using Corbado. Besides the passkey-first authentication, Corbado provides simple session management, that we used for a retrieval of basic user data. If you want to read more about how you can leverage Corbados session management to retrieve backend data, please check out our documentation here or if you want to add Corbado to your existing app with existing users, please see our documentation here.

If you want to learn how you can retrieve user authentication state as well as wells as user information on the server side, take a look at our Sveltekit blogpost.

Install the @corbado/web-js package and call Corbado.mountAuthUI() inside an onMount hook, passing a container element and an onLoggedIn callback. You also need a Corbado project ID stored in your environment file as VITE_CORBADO_PROJECT_ID, which you retrieve from the Corbado developer panel.

The Corbado web-js package does not currently support server-side rendering, so the UI component must be initialized on the client only. You disable this by creating a +layout.server.ts file and exporting ssr = false, which tells SvelteKit to skip server rendering for the affected routes.

Set the Application URL to http://localhost:5173 (the default SvelteKit dev port) and the Relying Party ID to localhost with no protocol, port or path. These values are configured in the application settings section of the Corbado developer panel.

After a successful login, access the authenticated user via Corbado.user, which exposes user.sub (user ID) and user.name. To log out, call await Corbado.logout() and then redirect the user back to the home page.