Agency Login

Sign in without a password using a passkey or security key.

Checking browser support…

Waiting for your authenticator…

Check your device for a passkey prompt.

Passkeys not supported

Your browser or device does not support WebAuthn passkey authentication.

Supported browsers:

  • Chrome / Edge 108+
  • Safari 16+
  • Firefox 119+

A platform authenticator (Windows Hello, Touch ID, Face ID) or a hardware security key is also required.

WebAuthn / Passkeys

Passwordless public-key authentication — nothing sensitive leaves the device.

WebAuthn (Web Authentication API) is the W3C standard that allows browsers to authenticate users using public-key cryptography. The server never sees a password — only a signed challenge.

Passkeys is the consumer-facing term introduced by Apple, Google, and Microsoft for WebAuthn credentials that are cloud-synced across devices (via iCloud Keychain, Google Password Manager, etc.). All Passkeys are WebAuthn credentials, but not all WebAuthn authenticators are Passkeys — the standard also covers:

  • Hardware security keys — YubiKey, Google Titan, etc.
  • Platform authenticators — Windows Hello, Touch ID, Face ID (device-bound, not synced)

How it works

  1. Page load: browser support is checked; authentication starts automatically
  2. Server issues a one-time challenge (login-options)
  3. Device signs the challenge with its private key (never leaves the device)
  4. Server verifies the signature against the stored public key (login)
  5. On failure or cancel a Try again button is shown

Step 1 — Request challenge

POST /reseller/auth/webauthn/login-options

No request body — the server issues a discoverable-credential challenge, returning an empty allowCredentials list. The browser will offer all passkeys registered for the rpId. Optionally, resellerCode and username can be sent as JSON to let the server pre-filter to a specific user's credentials.

Step 2 — Verify assertion

POST /reseller/auth/webauthn/login application/json 
{
  "assertion": { ... }
}

The assertion object is produced by the SimpleWebAuthn startAuthentication() call and passed to the server as-is.

200 verification success application/json 
{
  "success": true,
  "redirect": "https://..."
}
400 verification failure application/json 
{
  "message": "Invalid credential data. Please try again."
}

CORS requirements

Both WebAuthn endpoints are called via Fetch with credentials: 'include', so they carry the same CORS requirements as the AJAX page — the server must respond with:

  • Access-Control-Allow-Origin: <exact-origin>
  • Access-Control-Allow-Credentials: true

Configure the landing page origin in IRIX under Application CORS. Additionally, WebAuthn requires the page to be served over HTTPS — it will not work on plain HTTP.

The browser also enforces that the page origin is equal to or a subdomain of the rpId returned by the server. If the server is configured with rpId: "presentation.irix.dcsplus.net", the page must be served from that domain or a subdomain such as login.presentation.irix.dcsplus.net. Localhost will not work for end-to-end WebAuthn testing — the page must be deployed to the target domain first.

References