Passage by 1Password
Passage by 1Password provides a passkey-first authentication API that lets agents register and authenticate users via FIDO2 WebAuthn biometrics with optional magic link fallback, backed by 1Password's security infrastructure.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Passkeys eliminate phishable credentials entirely; backed by 1Password security infrastructure with strong key management. No password storage on Passage servers reduces breach risk significantly.
⚡ Reliability
Best When
Best when an agent application targets modern browsers and mobile devices and wants enterprise-grade passkey auth without building WebAuthn ceremony logic.
Avoid When
Avoid when your user base skews toward older devices or browsers that lack WebAuthn support and a fallback-only experience would be unacceptable.
Use Cases
- • Adding passkey-based biometric login to an agent-powered web or mobile application without building WebAuthn logic from scratch
- • Issuing short-lived JWTs after passkey authentication for agents to authorize downstream API calls on behalf of users
- • Replacing password reset flows in an existing app with magic link fallback, orchestrated by an agent when a passkey is unavailable
- • Integrating user authentication into a React or Next.js agent frontend using Passage's pre-built UI components
- • Validating Passage JWTs server-side to gate access to agent-driven workflows that require verified human identity
Not For
- • Environments where end-user devices do not support WebAuthn (e.g., legacy browsers or kiosk terminals without biometric hardware)
- • Machine-to-machine or service account authentication where there is no human user enrolling a passkey
- • Applications requiring complex RBAC or fine-grained permission scopes beyond simple authenticated/unauthenticated
Interface
Authentication
API key is used for Management API calls (user management, app config); Passage issues JWKS-signed JWTs after passkey authentication which agents validate server-side using the public JWKS endpoint.
Pricing
1Password acquired Passage in 2023; enterprise deals may be bundled with 1Password Business subscriptions.
Agent Metadata
Known Gotchas
- ⚠ Passkey registration and authentication require a browser with WebAuthn support; agents cannot complete these ceremonies server-side — a human must interact with the device authenticator
- ⚠ Passage JWTs have a default 1-hour TTL; agents running multi-step workflows must check token expiry and trigger re-authentication before token expiry or downstream calls will fail with 401
- ⚠ The allowed origins list must include every domain (including localhost ports) where the agent frontend runs; a missing origin causes WebAuthn ceremony failures with a cryptic RP ID mismatch error
- ⚠ Magic link fallback emails have a 10-minute TTL and are single-use; agents that retry the same magic link URL after it has been consumed will receive a 410 Gone error
- ⚠ Passage's JWKS endpoint must be fetched to validate tokens; agents that cache JWKS without a rotation strategy will fail if 1Password rotates keys, so implement a cache-bust on 401 responses
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Passage by 1Password.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-07.