It's SUPER important to note that the iCloud authenticator (TouchID / FaceID) only allows one credential per domain per email registered with iCloud. You need to be able to query the stored credential id from the server and pass it in to options to prevent iCloud from overwriting it if the user accidentally goes through a "registration" (create passkey) flow - otherwise you can get in a limbo where the user can't login with the passkey, and can't update the passkey on the server side.
It's SUPER important to note that the iCloud authenticator (TouchID / FaceID) only allows one credential per domain per email registered with iCloud. You need to be able to query the stored credential id from the server and pass it in to options to prevent iCloud from overwriting it if the user accidentally goes through a "registration" (create passkey) flow - otherwise you can get in a limbo where the user can't login with the passkey, and can't update the passkey on the server side.
Great point! Thanks for bringing it up!