GitPedia
Home/passlock-dev/passlock/Changelog
passlock-dev

passlock-dev/passlock

Passkey authentication for Astro, Sveltekit and other frameworks

6 Releases
Latest: yesterday
v2.9.2Latest
thobsonthobson·yesterday·June 25, 2026
GitHub

Remove redundant code relating to old v1 endpoints

v2.9.1
thobsonthobson·yesterday·June 25, 2026
GitHub

Upgrade dependencies

v2.9.0
thobsonthobson·1w ago·June 16, 2026
GitHub

Added

  • `@passlock/server` mailbox challenge creation now accepts `sendEmail: true` to request Passlock-managed delivery for one-time-code emails. Omitting `sendEmail`, or passing `sendEmail: false`, preserves the existing generate-only behavior and keeps returning the generated `code` and rendered `message` for custom delivery.
  • `@passlock/server` and the `POST /v2/:tenancyId/challenges` REST API now accept an optional recipient `name` when creating mailbox challenges. The name is used for email delivery only and does not affect challenge scope, lookup, invalidation, or verification.
v2.8.0
thobsonthobson·1w ago·June 15, 2026
GitHub

Added

  • Delete passkey now uses an exchangeable token to synchronize backend and frontend records. This process is similar to that used for passkey registration. The backend initiates the process, returning a token. The frontend uses this token to perform its client-side cleanup.
  • Update passkey now uses an exchangeable token to synchronize backend and frontend records. This process is similar to that used for passkey registration. The backend initiates the process, returning a token. The frontend uses this token to update the device passkeys.

🗑️ Removed

  • Browser-initiated passkey updates and deletions are no longer possible

📋 Changed

  • It is now only possible to update all passkeys for a given `userId`. Previous versions of `@passlock/browser` implied it was possible to update a specific passkey, however the WebAuthn specs don't actually permit this.
v2.7.0
thobsonthobson·1w ago·June 12, 2026
GitHub

Added

  • New skill to support versioning of workspace packages.

🗑️ Removed

  • Changeset package as we now use Codex/Claude
  • `@passlock/browser/safe`, `@passlock/browser/unsafe`, `@passlock/server/safe` and `@passlock/server/unsafe`. Every client and function is now _safe_ by default.

📋 Changed

  • Determine passkey RP ID during registration or authentication initiation/authorization instead of pulling it from the tenancy settings.
  • The RP ID must now be provided by the caller:
  • ```ts
  • import { Passlock } from "@passlock/server";
  • const passlock = new Passlock({
  • tenancyId,
  • apiKey
  • });
  • + 9 more
v2.6.0
thobsonthobson·2w ago·June 10, 2026
GitHub

📋 Changed

  • Server side passkey registration preparation. This prevents untrusted clients from registering passkeys without proper authorization.
  • Updated CHANGELOG.md format following [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).

Added

  • (Optional) Server side passkey authentication preparation. Allows developers to supply known passkey IDs (allowCredentials) and other authentication options directly in backend code instead of threading them through the frontend.
← Back to passlock wiki