fix: add WebAuthn permissions to Permissions-Policy header

Larkooo · claude · Larkooo · commit d468d7cd236f · 2026-03-10T15:05:42.000-05:00
Passkeys triggered inside an iframe require the server to explicitly
allow the WebAuthn API via the Permissions-Policy header. Without
publickey-credentials-create and publickey-credentials-get, the browser
blocks the WebAuthn call before it reaches the passkey flow.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/keychain/vercel.json b/packages/keychain/vercel.json
@@ -17,7 +17,7 @@
         },
         {
           "key": "Permissions-Policy",
-          "value": "camera=(), microphone=(), geolocation=()"
+          "value": "camera=(), microphone=(), geolocation=(), publickey-credentials-create=*, publickey-credentials-get=*"
         }
       ]
     },

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@`
`17`	`17`	`},`
`18`	`18`	`{`
`19`	`19`	`"key": "Permissions-Policy",`
`20`		`- "value": "camera=(), microphone=(), geolocation=()"`
	`20`	`+ "value": "camera=(), microphone=(), geolocation=(), publickey-credentials-create=, publickey-credentials-get="`
`21`	`21`	`}`
`22`	`22`	`]`
`23`	`23`	`},`