Customization

Overview

Like the other SuperTokens authentication recipes, you can customize the WebAuthn flow through different configuration options and overrides. The following page describes the options that you can change and the different scenarios enabled through customization.

Backend recipe configuration

The backend recipe accepts the following properties during initialization:

Option	Description	Default
`getRelyingPartyId`	Sets the domain name associated with the WebAuthn credentials. This helps ensure that only your domain uses the credentials.	The `apiDomain` value that you have set in `appConfig`
`getRelyingPartyName`	Sets a human-readable name for your application. The name appears to users during the WebAuthn registration process.	The `appName` value that you have set in `appConfig`
`getOrigin`	Configures the origin URL that WebAuthn credentials bind to. This should match your application's domain and protocol.	Origin of the request
`emailDelivery`	Configures how the system builds and sends verification emails to users. Read the email delivery page for more information.	Default email service
`validateEmailAddress`	Adds custom validation logic for email addresses.	Basic email format validation

All the properties are optional.

import supertokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
import WebAuthn from "supertokens-node/recipe/webauthn";

supertokens.init({
    framework: "express",
    supertokens: {
        // https://try.supertokens.com is for demo purposes. Replace this with the address of your core instance (sign up on supertokens.com), or self host a core.
        connectionURI: "https://try.supertokens.com",
        // apiKey: <API_KEY(if configured)>,
    },
    appInfo: {
        // learn more about this on https://supertokens.com/docs/session/appinfo
        appName: "<YOUR_APP_NAME>",
        apiDomain: "<YOUR_API_DOMAIN>",
        websiteDomain: "<YOUR_WEBSITE_DOMAIN>",
        apiBasePath: "/auth",
        websiteBasePath: "/auth"
    },
    recipeList: [
        WebAuthn.init({
            getOrigin: () => {
                return "https://example.com";
            },
            getRelyingPartyId: () => {
                return "example.com";
            },
            getRelyingPartyName: () => {
                return "example";
            },
        }),
        Session.init() // initializes session features
    ]
});

Credential generation

The client generates the credentials based on the options provided by the backend SDK. The frontend SDK uses the navigator.credentials.created function to resolve this.

To change the options used to generate credentials, you need to override the registerOptions function.

import supertokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
import WebAuthn from "supertokens-node/recipe/webauthn";

supertokens.init({
    framework: "express",
    supertokens: {
        // https://try.supertokens.com is for demo purposes. Replace this with the address of your core instance (sign up on supertokens.com), or self host a core.
        connectionURI: "https://try.supertokens.com",
        // apiKey: <API_KEY(if configured)>,
    },
    appInfo: {
        // learn more about this on https://supertokens.com/docs/session/appinfo
        appName: "<YOUR_APP_NAME>",
        apiDomain: "<YOUR_API_DOMAIN>",
        websiteDomain: "<YOUR_WEBSITE_DOMAIN>",
        apiBasePath: "/auth",
        websiteBasePath: "/auth"
    },
    recipeList: [
        WebAuthn.init({
            override: {
                functions: (originalImplementation) => {
                    return {
                        ...originalImplementation,
                        registerOptions: (input) => {
                            return originalImplementation.registerOptions({
                                ...input,
                                attestation: "direct",
                                residentKey: "required",
                                timeout: 10 * 1000,
                                userVerification: "required",
                                displayName: "John Doe",
                                supportedAlgorithms: [-257],
                                relyingPartyId: 'example.com',
                                relyingPartyName: 'example',
                                origin: 'https://example.com',
                            });
                        },
                    };
                },
            },
        }),
        Session.init() // initializes session features
    ]
});

Input properties

Name	Type	Description	Default Value
`relyingPartyId`	`string`	The domain name of your application that the system uses for validating the credential.	Uses `getRelyingPartyId` from the recipe configuration which defaults to the `apiDomain`
`relyingPartyName`	`string`	The human-readable name of your application.	Uses `getRelyingPartyName` from the recipe configuration which defaults to the `apiName`
`origin`	`string`	The origin URL where the credential is generated.	Uses `getOrigin` from the recipe configuration which defaults to the origin of the request
`timeout`	`number`	The time in milliseconds that the user has to complete the credential generation process.	`6000`
`attestation`	`"none" \| "indirect" \| "direct" \| "enterprise"`	The amount of information about the authenticator that gets included in the attestation statement. This controls what authenticators support.	`none`
`supportedAlgorithms`	`number[]`	The cryptographic algorithms that can generate credentials. Different authenticators support different algorithms.	`[-8, -7, -257]`
`residentKey`	`"discouraged" \| "preferred" \| "required"`	Whether the credential gest stored on the authenticator device.	`required`
`userVerification`	`"discouraged" \| "preferred" \| "required"`	Whether user verification (like `PIN` or biometrics) is necessary.	`preferred`
`displayName`	`string`	The display name of the user.	The user's `email` property

Credential validation

When a user attempts to login, the authenticator uses their credential to sign a challenge on the client. The frontend SDK uses the navigator.credentials.get function to resolve this.

The server generates the options for signing the challenge through the backend SDK, and then sends them to the client. To change those, you need to override the signInOptions function.

import supertokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
import WebAuthn from "supertokens-node/recipe/webauthn";

supertokens.init({
    framework: "express",
    supertokens: {
        // https://try.supertokens.com is for demo purposes. Replace this with the address of your core instance (sign up on supertokens.com), or self host a core.
        connectionURI: "https://try.supertokens.com",
        // apiKey: <API_KEY(if configured)>,
    },
    appInfo: {
        // learn more about this on https://supertokens.com/docs/session/appinfo
        appName: "<YOUR_APP_NAME>",
        apiDomain: "<YOUR_API_DOMAIN>",
        websiteDomain: "<YOUR_WEBSITE_DOMAIN>",
        apiBasePath: "/auth",
        websiteBasePath: "/auth"
    },
    recipeList: [
        WebAuthn.init({
            override: {
                functions: (originalImplementation) => {
                    return {
                        ...originalImplementation,
                        signInOptions: (input) => {
                            return originalImplementation.signInOptions({
                                ...input,
                                timeout: 10 * 1000,
                                userVerification: "required",
                                relyingPartyId: 'example.com',
                                origin: 'https://example.com',
                            });
                        },
                    };
                },
            },
        }),
        Session.init() // initializes session features
    ]
});

Input properties

Name	Type	Description	Default
`relyingPartyId`	`string`	The domain name of your application that the system uses for validating the credential.	Uses `getRelyingPartyId` from the recipe configuration which defaults to the `apiDomain`
`relyingPartyName`	`string`	The human-readable name of your application.	Uses `getRelyingPartyName` from the recipe configuration which defaults to the `apiName`
`origin`	`string`	The origin URL where the credential is generated.	Uses `getOrigin` from the recipe configuration which defaults to the origin of the request
`timeout`	`number`	The time in milliseconds that the user has to complete the credential validation process.	`6000`
`userVerification`	`"discouraged" \| "preferred" \| "required"`	The parameter controls whether user verification (like `PIN` or biometrics) is necessary.	`preferred`

Overview​

Backend recipe configuration​

Credential generation​

Input properties​

Credential validation​

Input properties​

Overview

Backend recipe configuration

Credential generation

Input properties

Credential validation

Input properties