Passkeys
A passkey is an optional, faster sign-in for mirepoix. This page explains what one is, why mirepoix offers them, and what happens when you lose a device that holds one.
What a passkey is
A passkey is a credential your device generates and stores for one site — for mirepoix, the domain you sign in on. (The hosted service is mirepoix.recipes; a self-hosted instance uses its own domain.) There are two halves: a private half your device keeps and never shares, and a public half mirepoix stores against your account.
When you sign in, the browser asks your device to prove it still holds the private half. You unlock that proof the same way you unlock your device — Face ID, Touch ID, Windows Hello, an Android lock screen, a security key, a PIN. mirepoix only sees the proof; the private half never leaves your device.
A passkey isn’t a password. There’s nothing to type, nothing to remember, and nothing for an attacker to phish: the proof only works on the mirepoix site you registered it on, from a device that holds the right private half.
Where passkeys live
Modern operating systems and password managers store and sync your passkeys for you. The same passkey usually appears on every device signed into the same platform account:
- Apple devices — iCloud Keychain syncs passkeys across iPhone, iPad, and Mac.
- Google — Google Password Manager syncs across Chrome on Android, Windows, macOS, and Linux.
- Microsoft — Windows Hello stores passkeys, with optional sync through your Microsoft account.
- Third-party password managers — 1Password, Bitwarden, Dashlane, and others store passkeys in their vaults alongside everything else.
- Hardware security keys — physical USB or NFC keys like a YubiKey hold passkeys directly. Not synced; you carry the key.
Whatever you already use to remember your accounts is where mirepoix’s passkey lives.
Why mirepoix offers them
mirepoix has no passwords. There’s no password to set, no password to forget, no password to phish. Sign-in is by 8-character code emailed to you (see Signing in) — universal, but it takes a trip to your inbox each time you sign in on a fresh device.
A passkey skips that trip. Add one from Settings → Passkeys; the sign-in page then offers Sign in with a passkey next to Send me a sign-in code. Both buttons land you on the same account.
Passkeys are an option, not a requirement. The email-code path stays available on every device, even ones that never registered a passkey.
What this means in practice
- One passkey usually covers your devices. Platform sync delivers the same passkey to your other devices on the same account; you rarely need to add one on each.
- You can hold many passkeys at once. The Settings → Passkeys list shows each one with the date it was added and the last time it was used. Tap Remove on any row to revoke it.
- The Sign in with a passkey button appears in any browser that supports passkeys, whether or not this device has one registered. Tap it without a matching passkey and the platform picker just won’t find one — fall back to the email-code path.
- If you lose a device: another device on the same platform account still has the passkey (for the synced kinds). The email-code path always works to sign in elsewhere and add a new passkey.
- mirepoix can’t share a passkey between browsers on its own. Passkey sync is the platform’s job, not mirepoix’s.
See also
- Signing in — both the email-code and passkey paths
- Settings → Passkeys — add and remove passkeys
- Your profile