feat(auth): #36 re-enable passkey plugin via @better-auth/passkey (#81)

* feat(auth): #36 re-enable passkey plugin via @better-auth/passkey

Passkey plugin was disabled with a TODO when better-auth split it into
a separate package. Re-wire it now that we're on 1.6.11.

- ADR 0003 documents the split + RP config + clone-time requirements
- `@better-auth/passkey` added to pnpm catalog (peer-pinned to ^1.6.11)
- packages/auth deps + apps/web deps updated
- packages/auth/src/index.ts imports `passkey` from `@better-auth/passkey`
- apps/web/src/lib/auth-client.ts wires `passkeyClient()`
- "Sign in with passkey" button on `/sign-in`
- `<PasskeySection />` on `/dashboard/security` — list + enroll + remove

The `passkey` Drizzle table was already present in
packages/db/src/schema/auth.ts from the previous attempt — no
migration required.

Closes #36

* fix(deps): override better-call to 1.3.5 (peer for @better-auth/core 1.6.11)

Author: f-amine

apps/admin/next-env.d.ts

@@ -1,6 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
-import "./.next/dev/types/routes.d.ts";
+import "./.next/types/routes.d.ts";
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

apps/web/package.json

@@ -9,6 +9,7 @@
 		"typecheck": "tsc --noEmit"
 	},
 	"dependencies": {
+		"@better-auth/passkey": "catalog:",
 		"@hookform/resolvers": "^5.2.2",
 		"@polar-sh/better-auth": "catalog:",
 		"@starter-saas/analytics": "workspace:*",

apps/web/src/app/(app)/dashboard/security/page.tsx

@@ -24,6 +24,7 @@ import { useEffect, useState } from "react";
 import { toast } from "sonner";
 import { GdprSection } from "@/components/app/gdpr-section";
 import { PageHeader } from "@/components/app/page-header";
+import { PasskeySection } from "@/components/app/passkey-section";
 import { authClient } from "@/lib/auth-client";
 
 type SessionRow = {
@@ -105,6 +106,8 @@ export default function SecurityPage() {
 					</CardContent>
 				</Card>
 
+				<PasskeySection />
+
 				<Card>
 					<CardHeader>
 						<CardTitle className="flex items-center gap-2">

apps/web/src/components/app/passkey-section.tsx

@@ -0,0 +1,144 @@
+"use client";
+
+import { Button } from "@starter-saas/ui/components/button";
+import {
+	Card,
+	CardContent,
+	CardDescription,
+	CardHeader,
+	CardTitle,
+} from "@starter-saas/ui/components/card";
+import { EmptyState } from "@starter-saas/ui/components/empty-state";
+import { Skeleton } from "@starter-saas/ui/components/skeleton";
+import { Fingerprint } from "lucide-react";
+import { useEffect, useState } from "react";
+import { toast } from "sonner";
+import { authClient } from "@/lib/auth-client";
+
+type PasskeyRow = {
+	id: string;
+	name?: string | null;
+	deviceType?: string | null;
+	createdAt?: string | Date | null;
+};
+
+export function PasskeySection() {
+	const [passkeys, setPasskeys] = useState<PasskeyRow[] | null>(null);
+	const [enrolling, setEnrolling] = useState(false);
+
+	const refresh = async () => {
+		try {
+			// Better Auth's passkey plugin exposes listUserPasskeys on the client.
+			// The shape isn't strongly typed for arbitrary plugins so we coerce.
+			const res = await (
+				authClient as unknown as {
+					listPasskeys: () => Promise<{ data?: PasskeyRow[] | null }>;
+				}
+			).listPasskeys();
+			setPasskeys(res?.data ?? []);
+		} catch {
+			setPasskeys([]);
+		}
+	};
+
+	useEffect(() => {
+		refresh();
+	}, []);
+
+	const enroll = async () => {
+		setEnrolling(true);
+		const id = toast.loading("Tap your security key or biometric sensor…");
+		try {
+			const result = await authClient.passkey.addPasskey();
+			if (result?.error) {
+				toast.error("Couldn't register passkey", {
+					id,
+					description: result.error.message,
+				});
+				return;
+			}
+			toast.success("Passkey registered", { id });
+			await refresh();
+		} catch (err) {
+			toast.error("Couldn't register passkey", {
+				id,
+				description: err instanceof Error ? err.message : "?",
+			});
+		} finally {
+			setEnrolling(false);
+		}
+	};
+
+	const remove = async (passkeyId: string) => {
+		try {
+			await (
+				authClient as unknown as {
+					deletePasskey: (args: { id: string }) => Promise<unknown>;
+				}
+			).deletePasskey({ id: passkeyId });
+			toast.success("Passkey removed");
+			await refresh();
+		} catch (err) {
+			toast.error("Couldn't remove passkey", {
+				description: err instanceof Error ? err.message : "?",
+			});
+		}
+	};
+
+	return (
+		<Card>
+			<CardHeader>
+				<CardTitle className="flex items-center gap-2">
+					<Fingerprint className="h-5 w-5" />
+					Passkeys
+				</CardTitle>
+				<CardDescription>
+					Sign in with Face ID, Touch ID, Windows Hello, or a hardware key —
+					phishing-resistant, no password to forget.
+				</CardDescription>
+			</CardHeader>
+			<CardContent className="space-y-4">
+				{passkeys === null ? (
+					<div className="space-y-2">
+						<Skeleton className="h-10 w-full" />
+						<Skeleton className="h-10 w-full" />
+					</div>
+				) : passkeys.length === 0 ? (
+					<EmptyState
+						illustration="arc"
+						title="No passkeys yet"
+						description="Register one to skip passwords on this device next time you sign in."
+						className="border-0 bg-transparent py-6"
+					/>
+				) : (
+					<ul className="divide-y">
+						{passkeys.map((pk) => (
+							<li key={pk.id} className="flex items-center gap-3 py-3">
+								<div className="flex h-9 w-9 items-center justify-center rounded-md bg-muted">
+									<Fingerprint className="h-4 w-4" />
+								</div>
+								<div className="flex-1">
+									<p className="font-medium text-sm">
+										{pk.name?.trim() || "Unnamed passkey"}
+									</p>
+									<p className="text-muted-foreground text-xs">
+										{pk.deviceType ?? "—"}
+										{pk.createdAt
+											? ` · ${new Date(pk.createdAt).toLocaleDateString()}`
+											: ""}
+									</p>
+								</div>
+								<Button variant="ghost" size="sm" onClick={() => remove(pk.id)}>
+									Remove
+								</Button>
+							</li>
+						))}
+					</ul>
+				)}
+				<Button onClick={enroll} disabled={enrolling}>
+					{enrolling ? "Waiting for device…" : "Register a passkey"}
+				</Button>
+			</CardContent>
+		</Card>
+	);
+}

apps/web/src/components/auth/sign-in-form.tsx

@@ -11,6 +11,7 @@ import {
 	FormMessage,
 } from "@starter-saas/ui/components/form";
 import { Input } from "@starter-saas/ui/components/input";
+import { KeyRound } from "lucide-react";
 import { useRouter, useSearchParams } from "next/navigation";
 import { useState } from "react";
 import { useForm } from "react-hook-form";
@@ -72,6 +73,23 @@ export function SignInForm() {
 		else toast.success("Check your inbox for a sign-in link");
 	};
 
+	const onPasskey = async () => {
+		// `signIn.passkey()` triggers the WebAuthn browser prompt. If the user
+		// has no registered passkey for this origin, the browser handles the
+		// "no credentials" UI; we surface server-side errors via toast.
+		const result = await authClient.signIn.passkey();
+		if (result?.error) {
+			toast.error("Couldn't sign in with passkey", {
+				description: result.error.message ?? "Try email + password instead",
+			});
+			return;
+		}
+		toast.success("Welcome back");
+		// biome-ignore lint/suspicious/noExplicitAny: dynamic redirect target
+		router.push(next as any);
+		router.refresh();
+	};
+
 	return (
 		<Form {...form}>
 			<form onSubmit={form.handleSubmit(onSubmit)} className="grid gap-4">
@@ -123,6 +141,11 @@ export function SignInForm() {
 					{submitting ? "Signing in…" : "Sign in"}
 				</Button>
 
+				<Button type="button" variant="outline" size="lg" onClick={onPasskey}>
+					<KeyRound className="mr-2 h-4 w-4" />
+					Sign in with passkey
+				</Button>
+
 				<Button
 					type="button"
 					variant="ghost"

apps/web/src/lib/auth-client.ts

@@ -1,3 +1,4 @@
+import { passkeyClient } from "@better-auth/passkey/client";
 import { polarClient } from "@polar-sh/better-auth";
 import {
 	adminClient,
@@ -14,6 +15,7 @@ export const authClient = createAuthClient({
 		adminClient(),
 		organizationClient(),
 		polarClient(),
+		passkeyClient(),
 	],
 });
 

docs/adr/0003-passkey-plugin.md

@@ -0,0 +1,68 @@
+# ADR-0003 — Passkey plugin via `@better-auth/passkey`
+
+**Status**: Accepted
+**Date**: 2026-05-15
+
+## Context
+
+Better Auth 1.6 split the passkey plugin out of the core package
+(`better-auth/plugins/passkey`) into its own npm package
+(`@better-auth/passkey`). Our scaffold previously imported passkey from
+the core path and commented it out when the import path broke during a
+bump:
+
+```ts
+// TODO: passkey plugin not exported from better-auth@1.6.9. Re-enable when upgrading.
+// import { passkey } from "better-auth/plugins/passkey";
+```
+
+Backlog item #36 tracks re-enabling it cleanly.
+
+## Decision
+
+- Add `@better-auth/passkey` to the pnpm catalog (peer-dep matches
+  `better-auth@^1.6.11`).
+- Import the server plugin from `@better-auth/passkey` in
+  `packages/auth/src/index.ts`.
+- Import the client plugin from `@better-auth/passkey/client` in
+  `apps/web/src/lib/auth-client.ts`.
+- Run `pnpm auth:generate` to add the `passkey` table to
+  `packages/db/src/schema/auth.ts`.
+- Wire a "Sign in with passkey" button on `/sign-in` and a "Register a
+  passkey" affordance on `/dashboard/security`.
+
+## RP configuration
+
+- `rpName`: `"starter-saas"` (cloned projects can rename this in
+  `packages/auth/src/index.ts`).
+- `rpID`: derived from `env.APP_URL` host at runtime.
+- `origin`: `env.APP_URL`.
+
+Cloned projects MUST update `rpName` + ensure `APP_URL` points to the
+real production origin before allowing passkey enrollment. Passkeys
+created against `localhost` will NOT work against the deployed origin
+and vice versa — there is no migration path.
+
+## Backwards compatibility
+
+- No existing user data is affected — the `passkey` table is purely
+  additive.
+- Email/password + magic-link + Google OAuth continue to work unchanged.
+- Sessions issued before this change remain valid.
+
+## Consequences
+
+- One new top-level dep (`@better-auth/passkey`) — acceptable cost.
+- `pnpm auth:generate` will mutate `schema/auth.ts`; the regenerated
+  file is checked into the repo so the migration is reproducible.
+- A new migration must be generated and applied (`pnpm db:generate &&
+  pnpm db:migrate`) before deploying.
+
+## Alternatives considered
+
+- **Keep passkey disabled, ship without WebAuthn**: rejected — passkey
+  is a tier-3 product surface that ships in the starter and is a
+  meaningful security upgrade over passwords alone.
+- **Fork `better-auth/plugins/passkey` inline**: rejected — vendored
+  WebAuthn code is a maintenance trap given the SimpleWebAuthn dep
+  cadence.

package.json

@@ -71,6 +71,7 @@
 	},
 	"pnpm": {
 		"overrides": {
+			"better-call": "1.3.5",
 			"drizzle-orm": "0.45.2",
 			"react": "19.2.6",
 			"react-dom": "19.2.6"

packages/auth/package.json

@@ -16,6 +16,7 @@
 		"generate": "npx -y @better-auth/cli@latest generate --output ../db/src/schema/auth.ts --config ./src/index.ts -y"
 	},
 	"dependencies": {
+		"@better-auth/passkey": "catalog:",
 		"@polar-sh/better-auth": "catalog:",
 		"@polar-sh/sdk": "catalog:",
 		"@starter-saas/billing": "workspace:*",

packages/auth/src/index.ts

@@ -1,3 +1,4 @@
+import { passkey } from "@better-auth/passkey";
 import { checkout, polar, portal, webhooks } from "@polar-sh/better-auth";
 import { polar as polarClient } from "@starter-saas/billing/client";
 import { polarCheckoutProducts } from "@starter-saas/billing/plans-server";
@@ -8,8 +9,6 @@ import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { nextCookies } from "better-auth/next-js";
 import { admin, magicLink, organization, twoFactor } from "better-auth/plugins";
-// TODO: passkey plugin not exported from better-auth@1.6.9. Re-enable when upgrading.
-// import { passkey } from "better-auth/plugins/passkey";
 
 import { ac, admin as adminRole, member, owner } from "./lib/permissions";
 import { createRedisSecondaryStorage } from "./lib/redis";
@@ -99,7 +98,11 @@ export function createAuth() {
 					await sendMagicLink({ to: email, url });
 				},
 			}),
-			// passkey({ rpID: new URL(env.APP_URL).hostname, rpName: "starter-saas", origin: env.APP_URL }),
+			passkey({
+				rpID: new URL(env.APP_URL).hostname,
+				rpName: "starter-saas",
+				origin: env.APP_URL,
+			}),
 			twoFactor(),
 			admin({
 				defaultRole: "user",