@auth0/auth0-spa-js

constructor

constructor(options: Auth0ClientOptions);

property mfa

readonly mfa: MfaApiClient;

• MFA API client for multi-factor authentication operations.

  Provides methods for: - Listing enrolled authenticators - Enrolling new authenticators (OTP, SMS, Voice, Push, Email) - Initiating MFA challenges - Verifying MFA challenges

property myAccount

readonly myAccount: MyAccountApiClient;

property passkey

readonly passkey: PasskeyApiClient;

• Passkey API client for passwordless authentication.

  Provides two single-call methods that handle the full WebAuthn flow internally: - signup(options) — register a new user with a passkey - login(options?) — authenticate an existing user with a passkey

method checkSession

checkSession: (options?: GetTokenSilentlyOptions) => Promise<void>;

• await auth0.checkSession();

  Check if the user is logged in using getTokenSilently. The difference with getTokenSilently is that this doesn't return a token, but it will pre-fill the token cache.

  This method also heeds the auth0.{clientId}.is.authenticated cookie, as an optimization to prevent calling Auth0 unnecessarily. If the cookie is not present because there was no previous login (or it has expired) then tokens will not be refreshed.

  It should be used for silently logging in the user when you instantiate the Auth0Client constructor. You should not need this if you are using the createAuth0Client factory.

  **Note:** the cookie **may not** be present if running an app using a private tab, as some browsers clear JS cookie data and local storage when the tab or page is closed, or on page reload. This effectively means that checkSession could silently return without authenticating the user on page refresh when using a private tab, despite having previously logged in. As a workaround, use getTokenSilently instead and handle the possible login_required error [as shown in the readme](https://github.com/auth0/auth0-spa-js#creating-the-client).

  Parameter options

method connectAccountWithRedirect

connectAccountWithRedirect: <TAppState = any>(
    options: RedirectConnectAccountOptions<TAppState>
) => Promise<void>;

• Initiates a redirect to connect the user's account with a specified connection. This method generates PKCE parameters, creates a transaction, and redirects to the /connect endpoint.

  You must enable Offline Access from the Connection Permissions settings to be able to use the connection with Connected Accounts.

  TAppState - The application state to persist through the transaction.

  Parameter options

  Options for the connect account redirect flow.

  Parameter

  {string} options.connection - The name of the connection to link (e.g. 'google-oauth2').

  Parameter

  {string[]} [options.scopes] - Array of scopes to request from the Identity Provider during the connect account flow.

  Parameter

  {AuthorizationParams} [options.authorization_params] - Additional authorization parameters for the request to the upstream IdP.

  Parameter

  {string} [options.redirectUri] - The URI to redirect back to after connecting the account.

  Parameter

  {TAppState} [options.appState] - Application state to persist through the transaction.

  Parameter

  {(url: string) => Promise} [options.openUrl] - Custom function to open the URL.

  Returns

  {Promise} Resolves when the redirect is initiated.

  Throws

  {MyAccountApiError} If the connect request to the My Account API fails.

method createFetcher

createFetcher: <TOutput extends CustomFetchMinimalOutput = Response>(
    config?: FetcherConfig<TOutput>
) => Fetcher<TOutput>;

• Returns a new Fetcher class that will contain a fetchWithAuth() method. This is a drop-in replacement for the Fetch API's fetch() method, but will handle certain authentication logic for you, like building the proper auth headers or managing DPoP nonces and retries automatically.

  Check the EXAMPLES.md file for a deeper look into this method.

method customTokenExchange

customTokenExchange: (
    options: CustomTokenExchangeOptions
) => Promise<TokenEndpointResponse>;

• await auth0.customTokenExchange(options);

  Exchanges an external subject token for Auth0 tokens without affecting the current session.

  Unlike loginWithCustomTokenExchange, this method has no side effects — it does not cache tokens, does not update the authenticated session, and does not affect isAuthenticated() or getUser(). Use this for delegation or impersonation scenarios where you need a token for a downstream API but do not want to change who the current user is.

  When a Web Worker is configured, the refresh_token is discarded inside the worker and never reaches the main thread. When no Web Worker is configured, the raw authorization server response is returned — if a refresh_token is present, discard it; this method intentionally does not store it.

  Parameter options

  The options required to perform the token exchange.

  Returns

  {Promise} A promise that resolves to the token endpoint response.

  **Example:**

  const tokenResponse = await auth0.customTokenExchange({
    subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
    subject_token_type: 'urn:acme:legacy-system-token',
    actor_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
    actor_token_type: 'https://idp.example.com/token-type/agent',
    audience: 'https://api.example.com',
  });
  
  // Use tokenResponse.access_token to call downstream API
  // Current user session is unchanged

method exchangeToken

exchangeToken: (
    options: CustomTokenExchangeOptions
) => Promise<TokenEndpointResponse>;

• Parameter options

  The options required to perform the token exchange.

  Returns

  {Promise} A promise that resolves to the token endpoint response.

  **Example:**

  // Instead of:
  const tokens = await auth0.exchangeToken(options);
  
  // Use:
  const tokens = await auth0.loginWithCustomTokenExchange(options);

  Deprecated

  Use loginWithCustomTokenExchange() instead. This method will be removed in the next major version.

  Exchanges an external subject token for Auth0 tokens.

method generateDpopProof

generateDpopProof: (params: {
    url: string;
    method: string;
    nonce?: string;
    accessToken: string;
}) => Promise<string>;

• Returns a string to be used to demonstrate possession of the private key used to cryptographically bind access tokens with DPoP.

  It requires enabling the Auth0ClientOptions.useDpop option.

method getConfiguration

getConfiguration: () => Readonly<ClientConfiguration>;

• Returns a readonly copy of the initialization configuration.

  Returns

  An object containing domain and clientId

  Example 1

  const auth0 = new Auth0Client({
    domain: 'tenant.auth0.com',
    clientId: 'abc123'
  });
  
  const config = auth0.getConfiguration();
  // { domain: 'tenant.auth0.com', clientId: 'abc123' }

method getDpopNonce

getDpopNonce: (id?: string) => Promise<string | undefined>;

• Returns the current DPoP nonce used for making requests to Auth0.

  It can return undefined because when starting fresh it will not be populated until after the first response from the server.

  It requires enabling the Auth0ClientOptions.useDpop option.

  Parameter nonce

  The nonce value.

  Parameter id

  The identifier of a nonce: if absent, it will get the nonce used for requests to Auth0. Otherwise, it will be used to select a specific non-Auth0 nonce.

method getIdTokenClaims

getIdTokenClaims: () => Promise<IdToken | undefined>;

• const claims = await auth0.getIdTokenClaims();

  Returns all claims from the id_token if available.

method getTokenSilently

getTokenSilently: {
    (
        options: GetTokenSilentlyOptions & { detailedResponse: true }
    ): Promise<GetTokenSilentlyVerboseResponse>;
    (options?: GetTokenSilentlyOptions): Promise<string>;
};

• Fetches a new access token and returns the response from the /oauth/token endpoint, omitting the refresh token.

  Parameter options

• Fetches a new access token and returns it.

  Parameter options

method getTokenWithPopup

getTokenWithPopup: (
    options?: GetTokenWithPopupOptions,
    config?: PopupConfigOptions
) => Promise<string | undefined>;

• const token = await auth0.getTokenWithPopup(options);

  Opens a popup with the /authorize URL using the parameters provided as arguments. Random and secure state and nonce parameters will be auto-generated. If the response is successful, results will be valid according to their expiration times.

  Parameter options

  Parameter config

method getUser

getUser: <TUser extends User>() => Promise<TUser | undefined>;

• const user = await auth0.getUser();

  Returns the user information if available (decoded from the id_token).

method handleRedirectCallback

handleRedirectCallback: <TAppState = any>(
    url?: string
) => Promise<
    RedirectLoginResult<TAppState> | ConnectAccountRedirectResult<TAppState>
>;

• After the browser redirects back to the callback page, call handleRedirectCallback to handle success and error responses from Auth0. If the response is successful, results will be valid according to their expiration times.

method isAuthenticated

isAuthenticated: () => Promise<boolean>;

• const isAuthenticated = await auth0.isAuthenticated();

  Returns true if there's valid information stored, otherwise returns false.

method loginWithCustomTokenExchange

loginWithCustomTokenExchange: (
    options: CustomTokenExchangeOptions
) => Promise<TokenEndpointResponse>;

method loginWithPopup

loginWithPopup: (
    options?: PopupLoginOptions,
    config?: PopupConfigOptions
) => Promise<void>;

• try {
   await auth0.loginWithPopup(options);
  } catch(e) {
   if (e instanceof PopupCancelledError) {
     // Popup was closed before login completed
   }
  }

  Opens a popup with the /authorize URL using the parameters provided as arguments. Random and secure state and nonce parameters will be auto-generated. If the response is successful, results will be valid according to their expiration times.

  IMPORTANT: This method has to be called from an event handler that was started by the user like a button click, for example, otherwise the popup will be blocked in most browsers.

  Parameter options

  Parameter config

method loginWithRedirect

loginWithRedirect: <TAppState = any>(
    options?: RedirectLoginOptions<TAppState>
) => Promise<void>;

• await auth0.loginWithRedirect(options);

  Performs a redirect to /authorize using the parameters provided as arguments. Random and secure state and nonce parameters will be auto-generated.

  Parameter options

method logout

logout: (options?: LogoutOptions) => Promise<void>;

• await auth0.logout(options);

  Clears the application session and performs a redirect to /v2/logout, using the parameters provided as arguments, to clear the Auth0 session.

  If the federated option is specified it also clears the Identity Provider session. [Read more about how Logout works at Auth0](https://auth0.com/docs/logout).

  Parameter options

method revokeRefreshToken

revokeRefreshToken: (options?: RevokeRefreshTokenOptions) => Promise<void>;

• await auth0.revokeRefreshToken();

  Revokes the refresh token using the /oauth/revoke endpoint. This invalidates the refresh token so it can no longer be used to obtain new access tokens.

  The method works with both memory and localStorage cache modes: - For memory storage with worker: The refresh token never leaves the worker thread, maintaining security isolation - For localStorage: The token is retrieved from cache and revoked

  If useRefreshTokens is disabled, this method does nothing.

  **Important:** This method revokes the refresh token for a single audience. If your application requests tokens for multiple audiences, each audience may have its own refresh token. To fully revoke all refresh tokens, call this method once per audience. If you want to terminate the user's session entirely, use logout() instead.

  When using Multi-Resource Refresh Tokens (MRRT), a single refresh token may cover multiple audiences. In that case, revoking it will affect all cache entries that share the same token.

  Parameter options

  Optional parameters to identify which refresh token to revoke. Defaults to the audience configured in authorizationParams.

  Example 1

  // Revoke the default refresh token await auth0.revokeRefreshToken();

  Example 2

  // Revoke refresh tokens for each audience individually await auth0.revokeRefreshToken({ audience: 'https://api.example.com' }); await auth0.revokeRefreshToken({ audience: 'https://api2.example.com' });

method setDpopNonce

setDpopNonce: (nonce: string, id?: string) => Promise<void>;

• Sets the current DPoP nonce used for making requests to Auth0.

  It requires enabling the Auth0ClientOptions.useDpop option.

  Parameter nonce

  The nonce value.

  Parameter id

  The identifier of a nonce: if absent, it will set the nonce used for requests to Auth0. Otherwise, it will be used to select a specific non-Auth0 nonce.

constructor

constructor(
    error: string,
    error_description: string,
    state: string,
    appState?: any
);

property appState

appState: any;

property state

state: string;

constructor

constructor(data: CacheKeyData, prefix?: string, suffix?: string);

property audience

audience?: string;

property clientId

clientId: string;

property prefix

prefix: string;

property scope

scope?: string;

property suffix

suffix?: string;

method fromCacheEntry

static fromCacheEntry: (entry: CacheEntry) => CacheKey;

• Utility function to build a CacheKey instance from a cache entry

  Parameter entry

  The entry

  Returns

  An instance of CacheKey

method fromKey

static fromKey: (key: string) => CacheKey;

• Converts a cache key string into a CacheKey instance.

  Parameter key

  The key to convert

  Returns

  An instance of CacheKey

method toKey

toKey: () => string;

• Converts this CacheKey instance into a string for use in a cache

  Returns

  A string representation of the key

constructor

constructor(
    error: string,
    error_description: string,
    connection: string,
    state: string,
    appState?: any
);

property appState

appState: any;

property connection

connection: string;

property state

state: string;

constructor

constructor(config: FetcherConfig<TOutput>, hooks: FetcherHooks);

property config

protected readonly config: Omit<FetcherConfig<TOutput>, 'fetch'> &
    Required<Pick<FetcherConfig<TOutput>, 'fetch'>>;

property hooks

protected readonly hooks: FetcherHooks;

method buildBaseRequest

protected buildBaseRequest: (
    info: RequestInfo | URL,
    init: RequestInit | undefined
) => Request;

method buildUrl

protected buildUrl: (
    baseUrl: string | undefined,
    url: string | undefined
) => string;

method extractUrl

protected extractUrl: (info: RequestInfo | URL) => string;

method fetchWithAuth

fetchWithAuth: (
    info: RequestInfo | URL,
    init?: RequestInit,
    authParams?: AuthParams
) => Promise<TOutput>;

method getAccessToken

protected getAccessToken: (
    authParams?: AuthParams
) => Promise<string | GetTokenSilentlyVerboseResponse>;

method getHeader

protected getHeader: (headers: ResponseHeaders, name: string) => string;

method handleResponse

protected handleResponse: (
    response: TOutput,
    callbacks: FetchWithAuthCallbacks<TOutput>
) => Promise<TOutput>;

method hasUseDpopNonceError

protected hasUseDpopNonceError: (response: TOutput) => boolean;

method internalFetchWithAuth

protected internalFetchWithAuth: (
    info: RequestInfo | URL,
    init: RequestInit | undefined,
    callbacks: FetchWithAuthCallbacks<TOutput>,
    authParams?: AuthParams
) => Promise<TOutput>;

method isAbsoluteUrl

protected isAbsoluteUrl: (url: string) => boolean;

method prepareRequest

protected prepareRequest: (
    request: Request,
    authParams?: AuthParams
) => Promise<void>;

method setAuthorizationHeader

protected setAuthorizationHeader: (
    request: Request,
    accessToken: string,
    tokenType?: string
) => void;

method setDpopProofHeader

protected setDpopProofHeader: (
    request: Request,
    accessToken: string
) => Promise<void>;

constructor

constructor(error: string, error_description: string);

property error

error: string;

property error_description

error_description: string;

method fromPayload

static fromPayload: ({
    error,
    error_description,
}: {
    error: string;
    error_description: string;
}) => GenericError;

property enclosedCache

enclosedCache: ICache;

method allKeys

allKeys: () => string[];

method get

get: <T = Cacheable>(key: string) => MaybePromise<T | undefined>;

method remove

remove: (key: string) => void;

method set

set: <T = Cacheable>(key: string, entry: T) => void;

method challenge

challenge: (params: ChallengeAuthenticatorParams) => Promise<ChallengeResponse>;

• Initiates an MFA challenge

  Sends OTP via SMS, initiates push notification, or prepares for OTP entry

  Parameter params

  Challenge parameters including mfaToken

  Returns

  Challenge response with oobCode if applicable

  Throws

  {MfaChallengeError} If challenge initiation fails

  Example 1

  OTP challenge

  const challenge = await mfa.challenge({
    mfaToken: mfaTokenFromLogin,
    challengeType: 'otp',
    authenticatorId: 'otp|dev_xxx'
  });
  // User enters OTP from their authenticator app

  Example 2

  SMS challenge

  const challenge = await mfa.challenge({
    mfaToken: mfaTokenFromLogin,
    challengeType: 'oob',
    authenticatorId: 'sms|dev_xxx'
  });
  console.log(challenge.oobCode); // Use for verification

method enroll

enroll: (params: EnrollParams) => Promise<EnrollmentResponse>;

• Enrolls a new MFA authenticator

  Requires MFA access token with 'enroll' scope

  Parameter params

  Enrollment parameters including mfaToken and factorType

  Returns

  Enrollment response with authenticator details

  Throws

  {MfaEnrollmentError} If enrollment fails

  Example 1

  OTP enrollment

  const enrollment = await mfa.enroll({
    mfaToken: mfaToken,
    factorType: 'otp'
  });
  console.log(enrollment.secret); // Base32 secret
  console.log(enrollment.barcodeUri); // QR code URI

  Example 2

  SMS enrollment

  const enrollment = await mfa.enroll({
    mfaToken: mfaToken,
    factorType: 'sms',
    phoneNumber: '+12025551234'
  });

method getAuthenticators

getAuthenticators: (mfaToken: string) => Promise<Authenticator[]>;

• Gets enrolled MFA authenticators filtered by challenge types from context.

  Challenge types are automatically resolved from the stored MFA context (set when mfa_required error occurred).

  Parameter mfaToken

  MFA token from mfa_required error

  Returns

  Array of enrolled authenticators matching the challenge types

  Throws

  {MfaListAuthenticatorsError} If the request fails or context not found

  Example 1

  Basic usage

  try {
    await auth0.getTokenSilently();
  } catch (e) {
    if (e instanceof MfaRequiredError) {
      // SDK automatically uses challenge types from error context
      const authenticators = await auth0.mfa.getAuthenticators(e.mfa_token);
    }
  }

method getEnrollmentFactors

getEnrollmentFactors: (mfaToken: string) => Promise<EnrollmentFactor[]>;

• Gets available MFA enrollment factors from the stored context.

  This method exposes the enrollment options from the mfa_required error's mfaRequirements.enroll array, eliminating the need for manual parsing.

  Parameter mfaToken

  MFA token from mfa_required error

  Returns

  Array of enrollment factors available for the user (empty array if no enrollment required)

  Throws

  {MfaEnrollmentFactorsError} If MFA context not found

  Example 1

  Basic usage

  try {
    await auth0.getTokenSilently();
  } catch (error) {
    if (error.error === 'mfa_required') {
      // Get enrollment options from SDK
      const enrollOptions = await auth0.mfa.getEnrollmentFactors(error.mfa_token);
      // [{ type: 'otp' }, { type: 'phone' }, { type: 'push-notification' }]
  
      showEnrollmentOptions(enrollOptions);
    }
  }

  Example 2

  Check if enrollment is required

  try {
    const factors = await auth0.mfa.getEnrollmentFactors(mfaToken);
    if (factors.length > 0) {
      // User needs to enroll in MFA
      renderEnrollmentUI(factors);
    } else {
      // No enrollment required, proceed with challenge
    }
  } catch (error) {
    if (error instanceof MfaEnrollmentFactorsError) {
      console.error('Context not found:', error.error_description);
    }
  }

method verify

verify: (params: VerifyParams) => Promise<TokenEndpointResponse>;

• Verifies an MFA challenge and completes authentication

  The scope and audience are retrieved from the stored context (set when the mfa_required error occurred). The grant_type is automatically inferred from which verification field is provided (otp, oobCode, or recoveryCode).

  Parameter params

  Verification parameters with OTP, OOB code, or recovery code

  Returns

  Token response with access_token, id_token, refresh_token

  Throws

  {MfaVerifyError} If verification fails (invalid code, expired, rate limited)

  Throws

  {MfaVerifyError} If MFA context not found

  Throws

  {MfaVerifyError} If grant_type cannot be inferred

  Rate limits: - 10 verification attempts allowed - Refreshes at 1 attempt per 6 minutes

  Example 1

  OTP verification (grant_type inferred from otp field)

  const tokens = await mfa.verify({
    mfaToken: mfaTokenFromLogin,
    otp: '123456'
  });
  console.log(tokens.access_token);

  Example 2

  OOB verification (grant_type inferred from oobCode field)

  const tokens = await mfa.verify({
    mfaToken: mfaTokenFromLogin,
    oobCode: challenge.oobCode,
    bindingCode: '123456' // Code user received via SMS
  });

  Example 3

  Recovery code verification (grant_type inferred from recoveryCode field)

  const tokens = await mfa.verify({
    mfaToken: mfaTokenFromLogin,
    recoveryCode: 'XXXX-XXXX-XXXX'
  });

constructor

constructor(error: string, error_description: string);

constructor

constructor(error: string, error_description: string);

constructor

constructor(error: string, error_description: string);

constructor

constructor(error: string, error_description: string);

method fromPayload

static fromPayload: ({
    error,
    error_description,
}: {
    error: string;
    error_description: string;
}) => MfaError;

constructor

constructor(error: string, error_description: string);

constructor

constructor(
    error: string,
    error_description: string,
    mfa_token: string,
    mfa_requirements: MfaRequirements
);

property mfa_requirements

mfa_requirements: MfaRequirements;

property mfa_token

mfa_token: string;

constructor

constructor(error: string, error_description: string);

constructor

constructor(audience: string, scope: string);

property audience

audience: string;

property scope

scope: string;

constructor

constructor(myAccountFetcher: Fetcher<Response>, apiBase: string);

method completeAccount

completeAccount: (params: CompleteRequest) => Promise<CompleteResponse>;

• Verify the redirect from the connect account flow and complete the connecting of the account.

  Parameter params

  Completion parameters including auth session, connect code, and redirect URI

  Returns

  A promise that resolves to the completed connected account details

method connectAccount

connectAccount: (params: ConnectRequest) => Promise<ConnectResponse>;

• Get a ticket for the connect account flow.

  Parameter params

  Connection parameters including connection name and redirect URI

  Returns

  A promise that resolves to a connect response with the redirect URI and auth session

method deleteAuthenticationMethod

deleteAuthenticationMethod: (id: string) => Promise<void>;

• Delete an authentication method by ID.

  Parameter id

  The ID of the authentication method to delete

  Returns

  A promise that resolves when the authentication method has been deleted

method enrollmentChallenge

enrollmentChallenge: (
    options: EnrollmentChallengeOptions
) => Promise<EnrollmentChallengeResponse>;

• Start the enrollment of an authentication method for the current user. The response shape varies by type.

  Parameter options

  Enrollment challenge options specifying the factor type and any type-specific fields

  Returns

  A promise that resolves to the enrollment challenge response (shape varies by type)

method enrollmentVerify

enrollmentVerify: (
    options: EnrollmentVerifyOptions
) => Promise<AuthenticationMethod>;

• Confirm the enrollment of an authentication method to complete registration.

  Parameter options

  Enrollment verify options including the auth session and type-specific verification data

  Returns

  A promise that resolves to the confirmed authentication method

method getAuthenticationMethod

getAuthenticationMethod: (id: string) => Promise<AuthenticationMethod>;

• Get an authentication method by ID.

  Parameter id

  The ID of the authentication method to retrieve

  Returns

  A promise that resolves to the authentication method

method getAuthenticationMethods

getAuthenticationMethods: (
    type?: AuthenticationMethodType
) => Promise<AuthenticationMethod[]>;

• Get a list of all authentication methods for the current user.

  Parameter type

  Optional filter to return only methods of a specific type

  Returns

  A promise that resolves to an array of authentication methods

method getFactors

getFactors: () => Promise<Factor[]>;

• Get the status of all factors for the current user.

  Returns

  A promise that resolves to an array of factors with their enabled/disabled status

method updateAuthenticationMethod

updateAuthenticationMethod: (
    id: string,
    data: UpdateAuthenticationMethodRequest
) => Promise<AuthenticationMethod>;

• Update details of an authentication method by ID.

  Parameter id

  The ID of the authentication method to update

  Parameter data

  The fields to update (e.g. name, preferred_authentication_method for phone)

  Returns

  A promise that resolves to the updated authentication method

constructor

constructor({ type, status, title, detail, validation_errors }: ErrorResponse);

property detail

readonly detail: string;

• Human-readable explanation specific to this occurrence

property status

readonly status: number;

• HTTP status code

property title

readonly title: string;

• Short human-readable summary of the error

property type

readonly type: string;

• RFC 7807 error type identifier

property validation_errors

readonly validation_errors?: {
    detail: string;
    field?: string;
    pointer?: string;
    source?: string;
}[];

• Field-level validation errors, if present

method login

login: (options?: PasskeyLoginOptions) => Promise<TokenEndpointResponse>;

• Sign in with an existing passkey.

  Handles the full flow: requests a login challenge, triggers the browser WebAuthn assertion ceremony, serializes the result, and exchanges it for tokens.

  Parameter options

  Optional passkey login options (optional scope/audience/realm/organization)

  Returns

  A promise that resolves to the token endpoint response containing access/ID tokens

  Throws

  {PasskeyError} If WebAuthn is not supported in the browser

  Throws

  {PasskeyChallengeError} If the challenge request fails

  Throws

  {GenericError} If the token exchange fails

  Throws

  {PasskeyError} If the user cancels the WebAuthn prompt

method signup

signup: (options: PasskeySignupOptions) => Promise<TokenEndpointResponse>;

• Register a new user with a passkey.

  Handles the full flow: requests a signup challenge, triggers the browser WebAuthn credential creation ceremony, serializes the result, and exchanges it for tokens.

  Parameter options

  Passkey signup options (user identifier, optional scope/audience)

  Returns

  A promise that resolves to the token endpoint response containing access/ID tokens

  Throws

  {PasskeyError} If WebAuthn is not supported in the browser

  Throws

  {PasskeyRegisterError} If the challenge request fails

  Throws

  {GenericError} If the token exchange fails

  Throws

  {PasskeyError} If the user cancels the WebAuthn prompt

constructor

constructor(code: string, message: string, cause?: PasskeyErrorResponse);

property cause

readonly cause?: PasskeyErrorResponse;

property code

readonly code: string;

constructor

constructor(popup: Window);

property popup

popup: Window;

constructor

constructor();

constructor

constructor(popup: Window);

property popup

popup: Window;

constructor

constructor();

constructor

constructor(newDpopNonce: string);