●BUILD — Rork Max generates native Swift apps, reaching areas React Native struggles to touch●PLATFORM — Rork Max supports iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and iMessage●NATIVE — Tap native features like HealthKit, Core ML, NFC, Dynamic Island, and Live Activities●TEST — A browser-based streaming iOS simulator lets you test without Xcode or a Mac●DEPLOY — Automated builds, certificates, and App Store submission simplify shipping●PRICE — Start free; paid plans begin at $25/month and Rork Max is $200/month●BUILD — Rork Max generates native Swift apps, reaching areas React Native struggles to touch●PLATFORM — Rork Max supports iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and iMessage●NATIVE — Tap native features like HealthKit, Core ML, NFC, Dynamic Island, and Live Activities●TEST — A browser-based streaming iOS simulator lets you test without Xcode or a Mac●DEPLOY — Automated builds, certificates, and App Store submission simplify shipping●PRICE — Start free; paid plans begin at $25/month and Rork Max is $200/month
Logins Without Stored Passwords: Adding Passkey Authentication to a Rork Max App
How to add passkey authentication to a Swift app generated by Rork Max: Associated Domains setup, WebAuthn server verification with working code, and the device-testing pitfalls that cost me half a day.
For a while, the single most common message in my app's support inbox was some variation of "I forgot my password." Not bug reports — people locked out of their own accounts. As an indie developer, that kind of quiet operational cost adds up week after week.
Since switching to passkeys, those messages have all but disappeared. Users authenticate with Face ID, and my server no longer stores the one secret whose leak would be catastrophic. This is the process I followed to add passkey authentication to a Swift app generated by Rork Max, including the places where I got stuck.
What passkeys change, and what they don't
Passkeys are built on WebAuthn public-key authentication. The device generates a private key and hands the server only the public half. At sign-in, the server issues a challenge, the device signs it, and the server verifies the signature with the stored public key. Because there is no shared secret sitting on both sides, a server breach doesn't leak credentials. The private key syncs through iCloud Keychain, so it survives a phone upgrade.
What doesn't change: you still need a server. Issuing challenges, verifying signatures, and storing public keys are server-side jobs, and a "client-only passkey" is not a thing. Rork Max generates the native Swift client for you, but half of this article is necessarily about the backend.
Passkeys also play a different role from "sign in with someone else's account." Federated login delegates identity to Apple; passkeys keep your own account system and simply remove the password from it. I covered the federated side in implementing Sign in with Apple server verification and account deletion, and running both side by side is a perfectly reasonable design.
The foundation: Associated Domains and the AASA file
A passkey is bound to a domain, and the app and server must agree on which one. That binding is Associated Domains. I remember it as a three-part set:
Give the app an Associated Domains entry of webcredentials:example.com
Serve an AASA file at https://example.com/.well-known/apple-app-site-association
List your App ID (TeamID.BundleID) inside that file
The delivery requirements are quietly strict, and I lost half a day here. It must be served over HTTPS with no redirects, with Content-Type: application/json, directly under /.well-known/, and with no file extension.
With Rork Max you never open Xcode, so the Associated Domains entry has to be requested in your generation prompt: ask explicitly for webcredentials on your domain, then confirm it landed in the entitlements before moving on. The lesson from Core NFC applies unchanged here — when a capability is involved, correct generated code still fails silently on device if the signing configuration is missing.
✦
Thank you for reading this far.
Continue Reading
What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.
WHAT YOU'LL LEARN
✦A setup checklist that gets webcredentials and apple-app-site-association working on the first try
✦Both registration and sign-in flows carried end to end with working Swift and Node.js (@simplewebauthn/server) code
✦How to isolate error 1004 (RP ID mismatch), AASA caching, and the other traps that only appear on a real device
Secure payment via Stripe · Cancel anytime
✦
Unlock This Article
Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.
Registration: the server issues a challenge, the device returns a public key
Server first. Hand-rolling WebAuthn verification is how vulnerabilities happen, so I use the well-tested @simplewebauthn/server. This is the minimal shape — issuing registration options and verifying the attestation:
// server/passkey.ts — what this solves: issuing the registration challenge and verifying attestationimport { generateRegistrationOptions, verifyRegistrationResponse,} from "@simplewebauthn/server";const rpID = "example.com"; // RP ID = your domain; must match the app exactlyconst origin = `https://${rpID}`;export async function startRegistration(userId: string, userName: string) { const options = await generateRegistrationOptions({ rpName: "Your App", rpID, userID: new TextEncoder().encode(userId), userName, attestationType: "none", authenticatorSelection: { residentKey: "required", userVerification: "required" }, }); await saveChallenge(userId, options.challenge); // store with an expiry return options;}export async function finishRegistration(userId: string, body: unknown) { const expectedChallenge = await loadChallenge(userId); const verification = await verifyRegistrationResponse({ response: body as any, expectedChallenge, expectedOrigin: origin, expectedRPID: rpID, }); if (!verification.verified || !verification.registrationInfo) { throw new Error("registration failed"); } const { credential } = verification.registrationInfo; await savePublicKey(userId, credential.id, credential.publicKey, credential.counter); return { ok: true };}
If you skip storing and matching the challenge, you are wide open to replay. Don't skip it.
On the client, the Swift side looks like this — added as an authentication manager alongside the code Rork Max generated:
// PasskeyRegistration.swift — what this solves: creating a credential from the server's challengeimport AuthenticationServicesfinal class PasskeyRegistrar: NSObject, ASAuthorizationControllerDelegate, ASAuthorizationControllerPresentationContextProviding { private let rpID = "example.com" func register(challenge: Data, userID: Data, userName: String) { let provider = ASAuthorizationPlatformPublicKeyCredentialProvider( relyingPartyIdentifier: rpID) let request = provider.createCredentialRegistrationRequest( challenge: challenge, name: userName, userID: userID) let controller = ASAuthorizationController(authorizationRequests: [request]) controller.delegate = self controller.presentationContextProvider = self controller.performRequests() } func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) { guard let cred = authorization.credential as? ASAuthorizationPlatformPublicKeyCredentialRegistration else { return } // POST rawAttestationObject / rawClientDataJSON / credentialID to the server sendToServer(attestation: cred.rawAttestationObject, clientData: cred.rawClientDataJSON, credentialID: cred.credentialID) } func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) { // Error taxonomy below; 1004 almost always means a configuration mismatch print("passkey registration error: \(error)") } func presentationAnchor(for controller: ASAuthorizationController) -> ASPresentationAnchor { ASPresentationAnchor() }}
The flow: fetch a challenge from startRegistration, call register, and forward the attestation your delegate receives to finishRegistration. The Face ID sheet appears and the whole thing finishes in about two seconds.
Sign-in: nothing counts until the server verifies the signature
Sign-in mirrors registration. The server issues an authentication challenge, the device signs it with the stored private key, and the server verifies against the saved public key.
// PasskeySignIn.swift — what this solves: obtaining a signature from a saved passkeyfunc signIn(challenge: Data) { let provider = ASAuthorizationPlatformPublicKeyCredentialProvider( relyingPartyIdentifier: "example.com") let request = provider.createCredentialAssertionRequest(challenge: challenge) let controller = ASAuthorizationController(authorizationRequests: [request]) controller.delegate = self controller.presentationContextProvider = self controller.performRequests()}
Your delegate receives an ASAuthorizationPlatformPublicKeyCredentialAssertion; send its signature, rawClientDataJSON, rawAuthenticatorData, and credentialID to the server. There, verifyAuthenticationResponse takes the stored public key and counter, and only on success do you mint a session. Update the stored counter on every successful verification — forget that, and cloned-authenticator detection stops working.
One small UX note: tag your sign-in field with .textContentType(.username) and the QuickType bar will offer the passkey through AutoFill. In my app that path converted better than a dedicated button, so I made it the default.
The three places real-device testing stalled
First, error 1004. If you see a message to the effect of "Application with identifier is not associated with domain," the cause is almost certainly an RP ID/domain mismatch or an AASA file that couldn't be fetched. If you run your API on a subdomain, note that using api.example.com as the RP ID makes those credentials entirely separate from ones registered under example.com. Pick one RP ID and keep it identical across registration and sign-in.
Second, AASA caching. Apple fetches your AASA through its CDN and caches it, so fixing the file on your server doesn't reach devices immediately. During development, set the entitlement to webcredentials:example.com?mode=developer to bypass the CDN and fetch directly. You can inspect the state with swcutil on a Mac, but my working routine became: confirm everything passes in developer mode first, then let production mode propagate overnight.
Third, the simulator. Passkeys live in iCloud Keychain, so a simulator that isn't signed in to an Apple Account fails the registration sheet immediately. Rork Max's in-browser simulator is fine for walking the UI, but for the full credential round trip, a signed-in physical device is simply the fastest path — that was my conclusion.
For existing users, I recommend not forcing migration. Right after a successful password login, offer once: "Next time, sign in with Face ID." In that order, the user is already authenticated when they enter the registration flow, so no extra identity check is needed.
What the numbers looked like afterward
One month in, password-reset requests went from a dozen-plus per month to zero. Median time from screen load to completed sign-in dropped from about nine seconds to just over two. Roughly forty percent of users accepted the passkey prompt; the rest still use passwords. Running both paths costs a little extra code, but forcing registration to shorten the transition would, I believe, just trade it for churn you can't recover.
Where to start
The order that worked: get the AASA file serving correctly first, verify the registration flow on a device in developer mode, then harden sign-in and counter updates. Start by checking that your own /.well-known/apple-app-site-association returns with the right Content-Type.
Rork Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.