> ## Documentation Index
> Fetch the complete documentation index at: https://auth0-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Start a Passkey Challenge

> Request a passkey challenge for users to authenticate to your Native or Web application using an existing, registered passkey.

## Endpoint

`POST /passkey/challenge`

Request a passkey challenge so a user can authenticate to your Native or Web application using a previously registered passkey. The endpoint returns the WebAuthn parameters your application uses to invoke the platform authenticator, and an `auth_session` value you exchange for tokens at `/oauth/token` using the passkey grant.

This endpoint backs the Passkey APIs for Native and Web applications. Use this endpoint in combination with the Auth0 [token exchange for passkey](https://auth0.com/docs/authenticate/database-connections/passkeys) grant type.

### Remarks

* The application's [grant types](/docs/get-started/applications/application-settings#grant-types) must include: `urn:okta:params:oauth:grant-type:webauthn`.
* The application must be a [first-party application](https://auth0.com/docs/get-started/applications/confidential-and-public-applications). Third-party applications are not allowed to call this endpoint.
* The application must be OIDC conformant.
* The request must be made against a [custom domain](https://auth0.com/docs/customize/custom-domains) configured for your tenant. Calls to the default Auth0 domain (`{tenant}.auth0.com`) are rejected.

## Request Body

<ParamField body="client_id" type="string" required>
  The `client_id` of your application.
</ParamField>

<ParamField body="client_secret" type="string">
  The `client_secret` of your application. Required for confidential applications using the `client_secret_post` token endpoint authentication method.
</ParamField>

<ParamField body="realm" type="string">
  Name of the database connection to authenticate against. If omitted, Auth0 uses your tenant's default database connection for the application.
</ParamField>

<ParamField body="organization" type="string">
  ID of the [Auth0 Organization](https://auth0.com/docs/manage-users/organizations) to which the user is signing in. Required when the application's `organization_usage` is set to `require`.
</ParamField>

## Response

A successful response contains the WebAuthn parameters your application passes to the platform authenticator and an `auth_session` value that ties the subsequent assertion to this challenge.

<ResponseField name="auth_session" type="string">
  Opaque session identifier. Pass it in the token exchange request that completes the passkey login.
</ResponseField>

<ResponseField name="authn_params_public_key" type="object">
  WebAuthn `PublicKeyCredentialRequestOptions` to invoke on the platform authenticator.

  <Expandable title="properties">
    <ResponseField name="challenge" type="string">
      Server-generated challenge that the authenticator must sign.
    </ResponseField>

    <ResponseField name="timeout" type="integer">
      Lifetime of the challenge in milliseconds. The challenge expires after this period and cannot be reused.
    </ResponseField>

    <ResponseField name="rpId" type="string">
      [Relying party identifier (RP ID)](/docs/authenticate/database-connections/passkeys#relying-party-id-for-passkeys). Defaults to the tenant custom domain. When the tenant has a custom relying party identifier configured, Auth0 returns the `rp.id` value instead.
    </ResponseField>

    <ResponseField name="userVerification" type="string">
      WebAuthn user verification requirement. Always returns `preferred`.
    </ResponseField>
  </Expandable>
</ResponseField>

| Status | Description                                                                                                                                                                                                              |
| ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| 200    | Challenge generated successfully.                                                                                                                                                                                        |
| 400    | Invalid request. Common causes include missing or invalid parameters, the application is not configured for passkey authentication, the request was not made against a custom domain, or the application is third-party. |
| 401    | Unauthorized. Invalid client credentials.                                                                                                                                                                                |
| 404    | The Passkey APIs are not enabled for the tenant.                                                                                                                                                                         |
| 429    | Too many requests. Per-IP rate limit exceeded.                                                                                                                                                                           |