- Fido2 Credentials (aka “Passkeys” / “WebAuthn”) -> Uses WebAuthn standard to create/manage passkeys on your device (see more about that below). You can use passkeys if you need a client-side User signature (eg. in a web app / native app).
- Key Credentials -> “manually” generate keypairs yourself, and store them however you see fit (see How to generate a keypair). You can use Key Credential if you need a Service Account sitting in your server to also be the signer for example.
Identity | WebAuthn Credentials | Key Credentials |
---|---|---|
User | ✅ | ✅ |
PAT (Personal Access Token) | 🛑 | ✅ |
Service Account | 🛑 | ✅ |
Passkeys
Passkeys is the common term used to describe the Fido2 standard called “WebAuthn”. It is a web authentication standard supported by most modern browsers, phones and devices, which leverages your devices key-management features (like touch ID on a mac, a phone authenticator, a yubikey, some password managers support creating and storing passkeys, etc). Those passkeys can then be used by the user to sign payloads when needed. Here’s some screenshots with some examples of WebAuthn prompts shown in your browser during Credential creation, or during Signing using those Credentials.

You can read more about WebAuthn on webauthn.guide,
and if you want you can test a WebAuthn demo on
webauthn.io