Skip to main content
Frontend SDKs run on the user’s device — browser, mobile app, or hybrid framework. They handle passkey-based signing so users can authorize actions using biometrics or security keys, without your backend ever touching their private credentials.
Frontend SDKs are designed for delegated signing. They do not make API calls directly — they sign challenges that your backend initiates. You need a backend SDK (or direct API integration) to complete the flow.

How it works

Frontend SDKs implement the signing side of the delegated flow:
  1. Your backend initiates a state-changing operation and receives a challenge from Dfns
  2. Your backend sends the challenge to the frontend
  3. The frontend SDK signs the challenge using the user’s passkey (biometrics, security key, etc.)
  4. The frontend sends the signed challenge back to your backend
  5. Your backend completes the operation with the signed challenge
This ensures that private key material never leaves the user’s authenticator, and your backend never has access to user credentials.

Passkeys

All frontend SDKs use WebAuthn / passkeys for signing. This means:
  • The user’s private key is stored securely in their authenticator (Touch ID, Face ID, YubiKey, etc.)
  • Signing is triggered by a biometric prompt — no passwords involved
  • The private key never leaves the device
Each SDK provides a PasskeysSigner (or equivalent) that handles the register and sign operations:
  • Register: creates a new credential (passkey) for the user during onboarding
  • Sign: signs a User Action Challenge when the user authorizes an operation

Integration with backend

Your backend uses a DfnsDelegatedApiClient (or equivalent) to initiate operations and receive challenges. See the delegated signing guide for the backend side, and implementing delegated wallets for a full end-to-end tutorial.
Last modified on March 13, 2026