Ctrlk

Keystore

List passkey keystores — self for users, all for admin/super_admin

get
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Query parameters
pagenumberOptional

Page number (default: 1)

Example: 1
pageSizenumberOptional

Number of items per page (default: 10)

Example: 10
sortstringOptional

Sort field and order. Use - prefix for descending. Example: -createdAt, createdAt

Example: -createdAt
selectstringOptional

Fields to select (comma separated). Use + prefix to include hidden fields. Example: name,status,+holders

populatestringOptional

Relations to populate (comma separated). Example: wallet,token

Responses
200Success
No content
get
/api/keystore
200Success
No content
get
Path parameters
emailstringRequired
Responses
200Success
No content
get
/api/keystore/passkey/{email}/credentialIds
200Success
No content

Device B initiates ECDH passkey sync — returns OTP session

post
Body
emailstringRequired

Email of the account Device B wants to link to

pubKeyBstringRequired

Device B ephemeral ECDH public key (base64 or hex)

Responses
post
/api/keystore/passkey/request-link
201Success
No content

Device A polls for Device B public key to complete ECDH

get
Query parameters
otpstringRequired
Responses
200Success
No content
get
/api/keystore/passkey/pending-link
200Success
No content

Device A stores ECDH-encrypted keystore blob for Device B

post
Body
otpstringRequired

OTP from the request-link session

encryptedForBstringRequired

AES-GCM encrypted mnemonic, key derived via ECDH (base64)

pubKeyAstringRequired

Device A ephemeral ECDH public key (base64 or hex)

Responses
post
/api/keystore/passkey/approve-link
201Success
No content

Device B polls for the ECDH-encrypted keystore blob from Device A

get
Query parameters
otpstringRequired

OTP from the request-link session

emailstringRequired

Email address — used to resolve the account for the relay key

Responses
200Success
No content
get
/api/keystore/passkey/relay
200Success
No content

Device B registers its passkey and saves the decrypted keystore blob

post
Body
otpstringRequired

OTP from the request-link session

emailstringRequired

Email address — must match the account that owns the OTP session

challengeIdstringRequired

Challenge ID from GET /auth/webauthn/challenge

credentialIdstringRequired

WebAuthn credential ID

webauthnPublicKeystringRequired

DER/SPKI public key (base64)

attestationstringRequired

CBOR attestation object (base64)

clientDataJsonstringRequired

WebAuthn clientDataJSON (base64)

authenticatorDatastringRequired

WebAuthn authenticatorData (base64)

encryptedBlobstringRequired

Keystore blob encrypted with Device B derived key

deviceNamestringOptional

Human-readable device label (e.g. "Work Laptop")

Responses
post
/api/keystore/passkey/confirm-link
201Success
No content

Remove a passkey by ID (blocked if it is the last one)

delete
Path parameters
idstringRequired
Responses
200Success
No content
delete
/api/keystore/passkey/{id}
200Success
No content

Send password hint to account email

post
Body
emailstringRequired

Email address of the account to send the password hint to

Responses
post
/api/keystore/srp/password-hint
201Success
No content
PreviousAccountNextInscriptions

Last updated