How do I enable passkeys in an iframe?

Q: How do I enable passkeys in an iframe?

To enable passkeys in an iframe, you must set the iframe's allow attribute (publickey-credentials-get/create), configure corresponding HTTP Permissions-Policy headers, and handle user interactions explicitly to trigger passkey operations. Verify settings via browser developer tools and ensure cross-browser compatibility.

How do I enable passkeys in an iframe?#

Enabling passkeys in iframes involves configuring specific permissions, headers, and user interaction conditions. Here's a step-by-step guide:

1. Set Permissions-Policy#

First, specify permissions using the iframe's allow attribute:

<iframe
    src="https://example.com"
    allow="publickey-credentials-get; publickey-credentials-create"
></iframe>

2. Configure HTTP Headers#

Include the corresponding HTTP response headers on your iframe source server to explicitly allow WebAuthn operations:

Permissions-Policy: publickey-credentials-get=(*), publickey-credentials-create=(*)

For enhanced security, limit to specific domains instead of *:

Permissions-Policy: publickey-credentials-get=("https://yourdomain.com"), publickey-credentials-create=("https://yourdomain.com")

3. Handle User Activation#

Passkey operations (creation or authentication) must be triggered by a clear user action (also called "transient user activation"). Use event listeners for buttons or form submissions:

document.getElementById("loginPasskeyButton").addEventListener("click", async () => {
    try {
        const credential = await navigator.credentials.get({
            publicKey: publicKeyCredentialRequestOptions,
        });
        // Handle the authenticated credential
    } catch (err) {
        console.error("Passkey authentication error:", err);
    }
});

4. Test and Validate#

Verify correct Permissions-Policy settings in browser developer tools under the "Application → Frames" section.

Enterprise Passkey Whitepaper. Practical guidance, rollout patterns, and KPIs for passkey programs.

Get Whitepaper

Conduct cross-browser testing, especially in browsers with strict cross-origin rules (e.g., Safari).

Following these steps ensures secure and seamless passkey integration in iframes. .

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →

How do I enable passkeys in an iframe?

Enterprise Passkey Whitepaper

How do I enable passkeys in an iframe?#

1. Set Permissions-Policy#

2. Configure HTTP Headers#

3. Handle User Activation#

4. Test and Validate#

Read the full article#

About Corbado

Related FAQs

Which browsers support passkey creation in 3rd-party iframe?

Can I create passkeys in cross-origin iframes?

What are challenges for passkeys in cross-origin iframes?

Related Terms

Cyber Threat

Data Breach

CTAP (Client-to-Authenticator-Protocol)

Passkeys & iframes: How to Create & Login with a Passkey?

Payment Provider Passkeys: How to Build a 3rd Party SDK

How to get high Passkey Adoption in Creation Flows