Clarity-webauthn: Passkey Verification Library for Clarity 5 [Follow-up]

Apps Identity
8

Update: Cross-App Passkey Sharing — What’s Possible Today

Been researching how passkeys can be shared across multiple Stacks apps (ty for your help @friedger). Sharing findings here since it’s directly relevant to the clarity-webauthn vision.

The Web Standard: Related Origin Requests

Browsers (Chrome + Safari, not Firefox yet) now support Related Origin Requests. It lets multiple domains share the same passkey by hosting a simple JSON allowlist:

// https://pillarbtc.com/.well-known/webauthn
{ "origins": ["https://fak.fun", "https://zestprotocol.com"] }

Any origin on that list can create/verify passkeys using pillarbtc.com as the RP ID. Limit: 5 distinct eTLD+1 domains.

Mobile: Same Idea, Different Mechanism

On native apps, multiple apps can share one passkey via a common RP ID using Digital Asset Links (Android) or Associated Domains (iOS). The device-side passkey is the same — you just list which app package names are authorized.

The Catch for a Multi-App Ecosystem

The technology works, but there are governance and infra constraints:

  1. One domain owns the RP ID. If Pillar hosts the allowlist, Zest/Bitflow depend on Pillar keeping them listed. Domain goes down or removes you → your passkey auth breaks.
  2. Shared credential database required. All apps need access to the same stored public keys to verify assertions server-side. This is a real backend integration, not just a config file.
  3. Trust problem. No app wants their auth dependent on another company’s domain.

What This Means for Stacks

For the “one passkey, sign into any Stacks app” dream, the realistic paths are:

  • Neutral shared auth domain (e.g. auth.stacks.co) that ecosystem apps agree to use as the RP ID, with a shared credential store. Governance needed.
  • On-chain verification via clarity-webauthn sidesteps the shared-database problem entirely — the credential public key lives in the smart wallet contract, and any app can verify against it by calling the contract. The RP ID coordination is still needed at the browser/device level, but the backend trust problem disappears.
  • Each app keeps its own passkeys, linked by Stacks address. No shared RP ID, simpler, but users manage multiple passkeys.

The on-chain approach is what makes clarity-webauthn compelling beyond just “no intermediary fees.” It’s a natural shared credential store that no single company controls.

Curious if @ECBSJ or anyone from Bitflow/Zest has thoughts on the cross-app angle.

— Rapha

2 Likes