Passkey Authentication
Taxi & Private Hire › Products › ACL › Passkey Authentication
Generally available
WebAuthn passkey credentials — passwordless authentication via platform authenticators (Face ID, Touch ID, Windows Hello, USB security keys). Each PasskeyCredential stores the credential ID, public key, sign counter (clone detection), authenticator AAGUID, and device label. Operators register a passkey from the console; the login flow accepts either password or passkey.
Related
Fields
| Field | Type | Description |
|---|---|---|
credentialId | blob | WebAuthn credential id as returned by the authenticator at registration. Lookup key during sign-in challenges; stored as BLOB because it can contain arbitrary binary. |
publicKey | blob | COSE-encoded public key extracted from the attestation. Used to verify the assertion signature on every sign-in. |
userId | bigint | Owning User id. A single user can register multiple passkeys (one per device); deletion of the user cascades to all credentials. |
signCount | integer | Authenticator-incremented sign counter. WebAuthn clone-detection: if an incoming assertion reports a counter <= the stored value, the credential is treated as cloned and the sign-in fails. |
userHandle | string | Per-user opaque handle returned to the authenticator at registration time. Used to look up the user during a passkey assertion without leaking the underlying user id. |
transports | json | Authenticator transports the credential supports (e.g. `["internal"]` for platform authenticators, `["usb", "nfc"]` for roaming keys). Passed back to the browser to pick the right UI affordance during sign-in. |
aaguid | string | Authenticator AAGUID — 128-bit identifier of the authenticator make/model. Lets support correlate "passkey doesn't work" reports against known-bad authenticator firmware. |
deviceName | string | Operator-chosen friendly label ("MacBook Pro", "iPhone — work") shown in the console's passkey list. The only field on this entity that surfaces to the FE. |
clientId | bigint | Tenant scope. Every tenant-aware entity carries this; `ClientFilter` enforces row-level isolation on read; the multi-tenancy routing layer (`/client/{clientId}`) sets it at create time. Surfaced only under `admin` / `tripLog` groups — never to end users. |
internalKey | string | Optional client-supplied external reference / idempotency key. When present, lets external systems correlate platform-side records back to their own source-of-truth ids. Not persisted to a column — populated by the request handler when the caller sets it. |
__objectType | string | Discriminator string (entity class short-name) emitted alongside the id in serialized output. Resolved at read time by `getObjectType()`; lets the FE dispatch entity-specific rendering without inspecting the URL. |
id | bigint | Snowflake-style primary key (unsigned BIGINT). Generated by `IdFactory` at create time; surfaced to the FE / API as a `G`-prefixed string and stripped back to plain bigint server-side before Doctrine lookup. |
createdDate | integer | Unix timestamp the row was first persisted. Set in the entity's PrePersist hook; never rewritten on subsequent updates. |
updatedDate | integer | Unix timestamp the row was last touched. Bumped on every commit that hits the Doctrine UoW for this entity; drives FE invalidation + the listing change cursor. |
passiveUpdatedDate | int | Read-through alias for `updatedDate` exposed under different serializer groups. Lets the FE distinguish "real edit" from "background touch" projections without changing the underlying column. |
listingUpdatedDate | int | Listing-projection timestamp surfaced only under the `listMode` group. Driven by `TripCache` and other listing-shape refreshers separately from `updatedDate` so a listing rebuild doesn't trigger detail-page invalidation. |