Frequently Asked Questions
What are passkeys?
Passkeys are a replacement for passwords. They use your device’s biometric sensor (fingerprint, face) or PIN to authenticate. Passkeys are phishing-resistant, can’t be reused, and can sync across your devices.
TryMellon handles the server-side of passkeys (WebAuthn) so you don’t have to.
What happens if a user loses their device?
Use the account recovery flow:
- User requests recovery via email OTP
- User verifies OTP
- User registers a new passkey on their new device
See Account Recovery.
Why is there no password reset?
TryMellon is passwordless. There are no passwords to reset. Authentication is based on passkeys (cryptographic key pairs) stored on the user’s device. Recovery is done via email OTP + new passkey registration.
Which browsers support passkeys?
All major browsers support WebAuthn Level 2:
| Browser | Passkeys | Conditional UI |
|---|---|---|
| Chrome 108+ | ✅ | ✅ |
| Safari 16+ | ✅ | ✅ |
| Firefox 122+ | ✅ | ✅ |
| Edge 108+ | ✅ | ✅ |
| Chrome Android | ✅ | ✅ |
| Safari iOS 16+ | ✅ | ✅ |
See Browser Support for the full matrix.
What if the user’s browser doesn’t support WebAuthn?
TryMellon provides an email OTP fallback. If WebAuthn is not available, the SDK can fall back to email-based authentication. See Email Fallback.
Can I use TryMellon without a backend?
For development: yes, use sandbox mode. The SDK simulates all WebAuthn ceremonies without a backend.
For production: you need a backend to validate session tokens.
The SDK handles the client-side ceremony; your backend calls
GET /v1/sessions/validate to trust the result.
Do passkeys sync between devices?
Yes, if the user’s platform supports it:
- Apple: iCloud Keychain syncs passkeys across iPhone, iPad, Mac
- Google: Google Password Manager syncs across Android + Chrome
- Microsoft: Windows Hello passkeys are device-bound (no sync yet)
TryMellon’s SDK detects synced vs device-bound passkeys via the
backup_eligible and backup_state flags.
How do I migrate users who have passwords?
Use TryMellon alongside your existing auth. When users log in with their password, prompt them to register a passkey. Over time, users migrate organically.
The Entity Enrollment feature (Growth plan+) provides tools for bulk user invitations to register passkeys.
Is TryMellon GDPR compliant?
TryMellon stores no PII by default. User identifiers are
pseudonymous (external_user_id is whatever you provide).
We don’t store names, emails, or phone numbers.
Audit logs are retained for 90 days and can be purged. User deletion cascades to all credentials and sessions.
What’s the latency?
- Challenge creation (start): p99 < 100ms
- Signature verification (finish): p99 < 200ms
- Total ceremony (start + WebAuthn + finish): depends on user interaction speed, typically 2-5 seconds
The SDK adds < 5ms overhead. The bottleneck is the user’s biometric/PIN interaction.
How much does it cost?
| Plan | Price | Users | Apps |
|---|---|---|---|
| Free | $0/mo | 1,000 | 1 |
| Pro | $79/mo | 100,000 | 5 |
| Growth | $79/mo | 100,000 | 5 |
| Scale | $159/mo | 100,000 | 10 |
| Enterprise | Custom | Unlimited | Unlimited |
See Pricing for full details.