---
url: 'https://www.corbado.com/faq/create-passkeys-cross-origin-iframes'
title: 'Can I create passkeys in cross-origin iframes?'
description: 'Find out if and how you can create passkeys within cross-origin iframes, including current browser compatibility and necessary permissions.'
lang: 'en'
---

# Can I create passkeys in cross-origin iframes?

## Can I create passkeys in cross-origin iframes?

Yes, creating passkeys within [cross-origin](https://www.corbado.com/blog/iframe-passkeys-webauthn)
[iframes](https://www.corbado.com/blog/iframe-passkeys-webauthn) is currently possible, but it depends on browser
support and specific technical requirements:

## Current Browser Support (as of 2025)

- **Chrome:** Fully supports [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices)
  within [cross-origin](https://www.corbado.com/blog/iframe-passkeys-webauthn)
  [iframes](https://www.corbado.com/blog/iframe-passkeys-webauthn) from version 123 onwards, aligning with
  [WebAuthn Level 3](https://www.corbado.com/blog/passkeys-prf-webauthn).
- **Firefox:** Fully supports [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices)
  within [cross-origin](https://www.corbado.com/blog/iframe-passkeys-webauthn)
  [iframes](https://www.corbado.com/blog/iframe-passkeys-webauthn), following the
  [WebAuthn Level 3](https://www.corbado.com/blog/passkeys-prf-webauthn) standard.
- **Safari:** **Does not (yet) support**
  [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) in cross-origin iframes.
  Safari currently supports only passkey authentication (login) within iframes, not
  registration.

## Technical Requirements

To successfully implement passkey creation in cross-origin iframes, you must:

- Set proper HTTP `Permissions-Policy` headers:
    ```http
    Permissions-Policy: publickey-credentials-get=(*), publickey-credentials-create=(*)
    ```
- Include the correct allow attribute on your [iframe](https://www.corbado.com/blog/iframe-passkeys-webauthn)
  element:
    ```html

    ```

<iframe
    src="https://example.com"
    allow="publickey-credentials-get; publickey-credentials-create"
></iframe>
```

- Ensure transient user activation (user gesture like clicks) to initiate the passkey
  creation.

## Future Browser Outlook

It's not yet clear if Safari and other browsers will eventually support passkey creation
in cross-origin contexts in the future.

For production environments, always verify browser compatibility and provide fallback
flows for unsupported scenarios, especially for Safari users

## Read the full article