Released Passcay over the weekend. Passcay is an open source Zig library for Passkey relying party, i.e. websites that want to support secure Passkey authentications. Passcay is pronounced exactly the same as "passkey". In hindsight, I probably should have named it Passquay, still pronounced the exact same way, to add a touch of Singaporean flair to it.
I’ve been using Zig as my primary language for about 1.5 month now, and I’m feeling increasingly confident with it. I do miss a few things from Rust — especially ownership and the memory safety it enforces — but overall, I’m happy with the switch. One downside: LLMs don’t seem to work as well for Zig as they do for Rust or JavaScript, likely due to the smaller corpus of example code available.
I made Passcay to solve my own problem. I am working on a web service that would be having passkey as native authentication rather than as 2nd factor authentication, above the insecure and privacy-affecting email-password login.
Learned a lot about WebAuthn, Passkey and especially Zig. Passcay currently links operation system's OpenSSL library for cryptographic verification as I could not seem to get ES256 and RS256 verifications to work solely through Zig's crypto standard library, std.crypto. I might be wrong and that std.crypto is complete and sufficient for Passkey validation. I am looking forward to pull requests or guide in that direction.
If you are a Zig developer and are looking for an easy and secure way to support passkey in your project, check out https://github.com/uzyn/passcay.