kevdog
January 17, 2026, 6:46pm
1
I’m currently using vaultwarden server : alpine-testing with an nginx reverse proxy front end.
As a client I’m on MacOS with the chrome bitwarden extension. On the extension when you open it, there is an option for Log in with passkey. I just keep getting a 404 in the vaultwarden logs from the bitwarden app when trying to choose this selection. Is this a feature supported in vaultwarden and if so is it documented anywhere? Thanks.
It’s not supported yet. There is an open PR to add support for it
main ← zUnixorn:webauthn_login
opened 02:14PM - 04 Jun 25 UTC
Hello,
This PR implements the endpoints needed for passkey login into the Bit… warden webclient.
I marked this as a draft for now, since I'd like to first get some feedback on this PR before I start pursuing this further or if this is even a wanted feature for Vaultwarden.
## Working Features
* Login with passkey without using it for encryption
* Login with passkey while using it for encryption
* Adding a new passkey
* Listing all registered passkeys
* Deleting a passkey
## Testing this Branch
To test this branch, the fronted needs to be build with [this](https://github.com/vaultwarden/vw_web_builds/commit/08498dd2059d10f1eed7dd6082619686f4118bd7) line appended, to allow for passkey registration.
## Open TODOs
- [ ] Cleanup the code
- [ ] there is a bunch of duplicate code between _login_password() and _login_webauthn()
- [ ] the webauthn stuff could be moved into its own file / module
- [ ] Resolve the TODOs
- [ ] Figure out how to handle the intermidate webauthn state:
- [ ] Saved in the database (I think that's what's already done in the 2FA webauthn), but this probably would only work for registration, not login
- [ ] Passed around as an encrypted string in the `token` field (I think this is what bitwarden does with [this C# Api](https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-9.0))
- [ ] Decide what to do about the unimplemented [endpoints](https://github.com/bitwarden/server/blob/v2025.5.3/src/Api/Auth/Controllers/WebAuthnController.cs) that are implemented by upstream (they don't seem to be used currently by the webclient)
- [ ] Figure out why the frontend doesn't work in firefox for passkeys