To prevent creating a new passkey if one already exists in the same passkey
provider, use the optional excludeCredentials
property of WebAuthn's
PublicKeyCredentialCreationOptions
dictionary.
The excludeCredentials
property is an array of descriptors for public keys
that already exist for a given user. This information is supplied by the
relying party's server
when it wants to prevent the creation of new credentials for an existing user on
a single authenticator.
The excludeCredentials
array has the following attributes:
- type: A string that describes the type of public-key credential to be
generated. The default value is "
public-key
". - id: An
ArrayBuffer
that matches an existing public key credential identifier (PublicKeyCredential.rawId
). This identifier is generated during the creation of thePublicKeyCredential
instance.
The client returns an error if the user tries to create a
new credential on a platform authenticator that already contains one of the
credentials listed in this parameter. If the authenticator already contains a
public key credential of this type, the authenticator collects user consent as
usual, and shows the user a success indicator with no new credential created. An
InvalidStateError
exception is thrown, indicating that the user already has a
valid credential matched from excludeCredentials
.
"excludeCredentials": [
{"id": "<id-1>", "type": "public-key"},
{"id": "<id-2>", "type": "public-key"}
]
This JSON can be used to prevent authenticators with one of the provided
credentials from being registered more than once. Each "<id-*>
" value should
be populated with the identifier of the credential to be excluded.
Learn more about excludeCredentials
in the W3C
recommendation