RORK LABJP
BUILD — Rork Max generates native Swift apps, reaching areas React Native struggles to touchPLATFORM — Rork Max supports iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and iMessageNATIVE — Tap native features like HealthKit, Core ML, NFC, Dynamic Island, and Live ActivitiesTEST — A browser-based streaming iOS simulator lets you test without Xcode or a MacDEPLOY — Automated builds, certificates, and App Store submission simplify shippingPRICE — Start free; paid plans begin at $25/month and Rork Max is $200/monthBUILD — Rork Max generates native Swift apps, reaching areas React Native struggles to touchPLATFORM — Rork Max supports iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and iMessageNATIVE — Tap native features like HealthKit, Core ML, NFC, Dynamic Island, and Live ActivitiesTEST — A browser-based streaming iOS simulator lets you test without Xcode or a MacDEPLOY — Automated builds, certificates, and App Store submission simplify shippingPRICE — Start free; paid plans begin at $25/month and Rork Max is $200/month
Articles/App Dev
App Dev/2026-07-02Advanced

Logins Without Stored Passwords: Adding Passkey Authentication to a Rork Max App

How to add passkey authentication to a Swift app generated by Rork Max: Associated Domains setup, WebAuthn server verification with working code, and the device-testing pitfalls that cost me half a day.

Rork Max203Passkeys2WebAuthnAuthenticationServicesSwift33Authentication7

Premium Article

For a while, the single most common message in my app's support inbox was some variation of "I forgot my password." Not bug reports — people locked out of their own accounts. As an indie developer, that kind of quiet operational cost adds up week after week.

Since switching to passkeys, those messages have all but disappeared. Users authenticate with Face ID, and my server no longer stores the one secret whose leak would be catastrophic. This is the process I followed to add passkey authentication to a Swift app generated by Rork Max, including the places where I got stuck.

What passkeys change, and what they don't

Passkeys are built on WebAuthn public-key authentication. The device generates a private key and hands the server only the public half. At sign-in, the server issues a challenge, the device signs it, and the server verifies the signature with the stored public key. Because there is no shared secret sitting on both sides, a server breach doesn't leak credentials. The private key syncs through iCloud Keychain, so it survives a phone upgrade.

What doesn't change: you still need a server. Issuing challenges, verifying signatures, and storing public keys are server-side jobs, and a "client-only passkey" is not a thing. Rork Max generates the native Swift client for you, but half of this article is necessarily about the backend.

Passkeys also play a different role from "sign in with someone else's account." Federated login delegates identity to Apple; passkeys keep your own account system and simply remove the password from it. I covered the federated side in implementing Sign in with Apple server verification and account deletion, and running both side by side is a perfectly reasonable design.

The foundation: Associated Domains and the AASA file

A passkey is bound to a domain, and the app and server must agree on which one. That binding is Associated Domains. I remember it as a three-part set:

  1. Give the app an Associated Domains entry of webcredentials:example.com
  2. Serve an AASA file at https://example.com/.well-known/apple-app-site-association
  3. List your App ID (TeamID.BundleID) inside that file

The AASA file is just this:

{
  "webcredentials": {
    "apps": ["YOUR_TEAM_ID.com.example.yourapp"]
  }
}

The delivery requirements are quietly strict, and I lost half a day here. It must be served over HTTPS with no redirects, with Content-Type: application/json, directly under /.well-known/, and with no file extension.

With Rork Max you never open Xcode, so the Associated Domains entry has to be requested in your generation prompt: ask explicitly for webcredentials on your domain, then confirm it landed in the entitlements before moving on. The lesson from Core NFC applies unchanged here — when a capability is involved, correct generated code still fails silently on device if the signing configuration is missing.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
A setup checklist that gets webcredentials and apple-app-site-association working on the first try
Both registration and sign-in flows carried end to end with working Swift and Node.js (@simplewebauthn/server) code
How to isolate error 1004 (RP ID mismatch), AASA caching, and the other traps that only appear on a real device
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Rork Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

App Dev2026-06-28
Design On-Device Core ML So Cold Start and Heat Don't Break It
Put on-device Core ML in the native Swift that Rork Max generates and you hit two walls before accuracy: the first inference is slow, and the device heats up and slows down. Here is a design built around cold start and a thermal budget, with working Swift.
App Dev2026-06-18
Building an Ambient Display App for Apple TV with Rork Max
Use the native Swift that Rork Max generates as a foundation for an Apple TV app that quietly plays on a loop. We cover Top Shelf, the focus engine, and seamless video loops, with the practical lessons that only surface in real operation.
App Dev2026-06-16
Adding an Apple Wallet Stamp Card to a Rork Max App — Signing and Updates
You want a shop stamp card in Apple Wallet. When you issue a PassKit pass from a Swift app generated by Rork Max, the hard parts are not design — they are signing and remote updates. Here are the implementation essentials.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →