[null,null,["最后更新时间 (UTC):2025-07-25。"],[[["\u003cp\u003eAfter initial deployment, focus on educating users about passkeys and guide them through creation, ideally prompting them after password-based login.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Password Manager can automatically prompt users to create passkeys for your website or app across various touchpoints, enhancing user experience and adoption.\u003c/p\u003e\n"],["\u003cp\u003eTo enable this feature, deploy a JSON file at \u003ccode\u003e/.well-known/passkey-endpoints\u003c/code\u003e on your server containing links to your passkey enrollment and management pages, ensuring proper configuration for seamless redirects.\u003c/p\u003e\n"],["\u003cp\u003eEnsure the passkey endpoint is hosted at the RP ID domain for accurate identification, even if password entries are associated with a different URL.\u003c/p\u003e\n"],["\u003cp\u003eFor Android apps, configure Android App Links for smooth redirection to your app's passkey creation page, while acknowledging that non-discoverable credentials are device-bound and not synced.\u003c/p\u003e\n"]]],[],null,["# Promote passkey upgrades in Google Password Manager\n\nIntegrating passkeys into your app or website is just the beginning of your\npasskey journey. After your initial deployment, one of the challenges you will\nlikely encounter is making sure your users understand what passkeys are and how\nto create them.\n\nYou should suggest creating a passkey immediately after the user signs in using\ntheir password and verifying with a second factor. Remembering passwords and\nentering one-time passwords while switching between different apps and tools can\nbe frustrating for users. Recommending the creation of a passkey at this moment is\nan opportune time, as users are likely feeling this frustration.\n\nIn addition to the self-managed promotions, Google Password Manager can now\nsuggest creating a new passkey on behalf of your website or app.\n\nThe user experience\n-------------------\n\nOn Pixel devices, Google Password Manager discovers that your website or app\nsupports passkeys, suggests users to create a new passkey, and directs them to\nyour passkey creation page.\n\n\u003cbr /\u003e\n\nGoogle Password Manager suggests that the user create a passkey when reviewing their list of existing passwords and passkeys.\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nGoogle Password Manager also suggests creating a passkey on the password checkup page.\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nUpon accepting the suggestion the user is directed to a list of domains where they can create a passkey. Tapping on an entry seamlessly redirects users to the corresponding enrollment page.\n\n\u003cbr /\u003e\n\nAdd passkey endpoints\n---------------------\n\nTo enable passkey upgrades in Google Password Manager, place a JSON file on your\nserver at `/.well-known/passkey-endpoints`. This is called [a \"passkey endpoints\nwell-known URL\" and is an open\nprotocol](https://github.com/ms-id-standards/MSIdentityStandardsExplainers/blob/main/PasskeyEndpointsWellKnownUrl/explainer.md)\nfor aligned parties to formally advertise their support for passkeys and provide\ndirect links for passkey enrollment and management. You can expect a similar\neffect on other platforms when they support passkey endpoints well-known URLs.\n\nFor example, if a relying party's domain is at\n`https://passkeys-demo.appspot.com`, the URL would be\n`https://passkeys-demo.appspot.com/.well-known/passkey-endpoints`.\n\nFrom the endpoint, serve a JSON file that looks something like this: \n\n {\n \"enroll\": \"https://passkeys-demo.appspot.com/home\",\n \"manage\": \"https://passkeys-demo.appspot.com/home\"\n }\n\n`enroll` should point at the URL where the user can create a passkey. `manage`\nshould point at the URL where the user can manage created passkeys.\n\nGoogle Password Manager refers to your passkey endpoints well-known URL when a\npassword entry exists but a passkey entry doesn't exist in the Google Password\nManager.\n| **Caution:** This means if your user uses passwordless authentication such as magic email links or SMS-based OTP authentication, they will not see the suggestion.\n\n### Determine the host to deploy the passkey endpoints well-known URL\n\nWhen the passkey enrollment URL is at `id.example.com` but the RP ID of the\npasskey is at `example.com`, which URL should the passkey endpoint be hosted at?\n\nThe passkey endpoint should be hosted at the RP ID domain. In the above example,\nthe endpoint URL should be `https://example.com/.well-known/passkey-endpoints`.\nEven if your password entry appears at `https://id.example.com` within your\npassword manager, it doesn't matter.\n\n### Complete the passkey upgrades form\n\nOnce you have deployed the passkey endpoints well-known URL, fill out [this form](https://docs.google.com/forms/d/e/1FAIpQLScXrQIb-qJHshJE17HcSO4kKw_XamH7WF3uY1EHMa43reNEBA/viewform).\n\n### Support Android apps\n\nTo navigate the user to your Android app's passkey creation page, you can set up\n[Android App Links](https://developer.android.com/training/app-links) so that\nthe web URL owned by you can be redirected to your app's specific fragment.\n| **Warning:** On Android, [non-discoverable credentials are bound to the\n| device](/identity/passkeys/faq#can_an_rp_still_create_device-bound_credentials_that_arent_synchronized) and are not synced. You shouldn't deploy passkey endpoints if you only support non-discoverable credentials."]]