Skip to main content

Authenticator store (passkeys)

goauth.AuthenticatorStore persists WebAuthn credentials. Required for the passkey provider.

Interface

type AuthenticatorStore interface {
    CreateAuthenticator(ctx context.Context, a *Authenticator) (*Authenticator, error)
    GetAuthenticator(ctx context.Context, credentialID string) (*Authenticator, error)
    ListAuthenticatorsByUser(ctx context.Context, userID string) ([]*Authenticator, error)
    UpdateAuthenticator(ctx context.Context, a *Authenticator) error
    DeleteAuthenticator(ctx context.Context, credentialID string) error
}

Authenticator model

type Authenticator struct {
    CredentialID         string
    UserID               string
    ProviderAccountID    string
    CredentialPublicKey  []byte
    Counter              uint32
    CredentialDeviceType string
    CredentialBackedUp   bool
    Transports           []string
}

CredentialID is stored as base64url text in SQL adapters.

Implementing for a custom adapter

  1. Add an authenticators table (see postgres.Schema).
  2. Implement all five methods.
  3. Register adapter in Config.Adapter.
  4. Add PasskeyProvider to Providers.

Example: list user passkeys (admin UI)

store := adapter.(goauth.AuthenticatorStore)
auths, err := store.ListAuthenticatorsByUser(ctx, userID)
for _, a := range auths {
    fmt.Println(a.CredentialID, a.CredentialDeviceType, a.Counter)
}

Revoke a passkey

err := store.DeleteAuthenticator(ctx, credentialID)

There is no dedicated HTTP route yet — call the adapter from your application API.