Passkey authentication
WebAuthn with device-bound private keys. Biometric checks happen on your device, never on our servers. No passwords to steal.
Security model
Your identity is protected
at every layer.
RocketID separates lookup, authentication, and purchase authorization into distinct security boundaries. Each step requires independent verification.
Encrypted profile storage
Address, phone, and identity fields are encrypted at rest. Lookup flows use hashes and challenge-based verification — profile data is never exposed on email entry.
Purchase authorization
Before purchase completion, RocketID issues a short-lived authorization token after the shopper confirms with their device biometric again.
Limited data disclosure
Merchants only receive what they need — shipping address and verification status. RocketID never shares raw card data or browsing behavior.
Architecture
Four distinct security layers
1
Lookup
Checks if an email has a RocketID. Returns available auth methods — no profile data.
2
Authentication
Passkey or OTP challenge. Issues a scoped session token on success.
3
Profile access
Session token grants access to read/write identity, addresses, and payment refs.
4
Purchase auth
Second biometric confirmation before checkout finalization. Issues a one-time authorization token.
Design principles
Built on four security guarantees
Possession-based
Identity is tied to the device holding the private key, not to a password a hacker can guess.
Verification before release
Profile data is only released after a successful passkey or OTP challenge — never on lookup alone.
Minimal surface area
Each API call is scoped. Session tokens are short-lived. There is no persistent login cookie.
User-controlled deletion
Account data, passkeys, and connected store history can be permanently deleted from the dashboard.
See it in action
Create a RocketID and experience passkey-first checkout identity.