<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configure Passkeys for Native iOS Applications
Nov 21, 2025
Okta Identity Engine
SDKs & Libraries
Overview

This article details how to setup a native iOS application to support Passkeys with Okta.

Applies To
  • Okta Identity Engine (OIE)
  • iOS
  • okta-mobile-swift SDK (idx library)
  • Passkeys/WebAuthn
Solution

Prerequisite steps:

  • Configured Native OIDC application
  • Configured Authentication Policies to allow/require Passkeys (FIDO/WebAuthn)

Documentation for the above prerequisites:


The instructions below are for an Org with a custom domain URL of app.example.com, and an iOS Application with Bundle Identifier com.example.okta-sample.IdxAuthSignInZB7BFQ36KK will be configured.

Enable Associated Domains for the iOS App

  1. Navigate to the Project Settings in XCode.
  2. Under Signing and Capabilities check if Associated Domains is enabled
    1. If not, click the + Capability and add Associated Domains.
  3. Add a new Associated Domain entry for Web Credentials. 
webcredentials:app.example.com?mode=developer

The above specifies the Okta Org domain URL the application will use. Adding '?mode=developer' allows iOS devices to retrieve the apple-app-site-association file from Okta directly (https://app.example.com/.well-known/apple-app-site-association) instead of the Apple CDN, see Apple Docs.

Sample


Add the iOS Applications Bundle ID to the Orgs /.well-known/apple-app-site-association Endpoint

Use the Okta Admin Dashboard or the Associated Domains Customizations API to add the iOS Application Bundle ID to the appropriate Org Brand.

curl --location --request PUT 'https://{ORG}/api/v1/brands/{BRAND_ID}/well-known-uris/apple-app-site-association/customized' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS 00...' \
--data '{
    "representation": {
      "webcredentials": {
        "apps": [
          "ZB7BFQ36KK.com.example.okta-sample.IdxAuthSignInZB7BFQ36KK"
        ]
      }
    }
}'

This will add an entry to the Orgs /.well-known/apple-app-site-association endpoint for the brand specified.

{
   "authsrv": {
      "apps": [
         "B7xxxxxxxx.com.okta.mobile",
         "B7xxxxxxxx.com.okta.mobile.auth-service-extension",
         "B7xxxxxxxx.com.okta.authenticator.beta",
         "B7xxxxxxxx.com.okta.authenticator.beta.auth-service-extension",
         "7Wxxxxxxxx.com.okta.mobile.internalrelease",
         "7Wxxxxxxxx.com.okta.mobile.internalrelease.auth-service-extension"
      ]
   },
   "webcredentials": {
      "apps": [
         "ZB7BFQ36KK.com.example.okta-sample.IdxAuthSignInZB7BFQ36KK"
      ]
   }
}

 

Additional Steps

If '?mode=developer' was specified in the associated domain entry, the device might require enabling Associated Domains Development under Universal Links.

Developer

 

Related References

Recommended content

Still looking for help?
Loading
Configure Passkeys for Native iOS Applications