Skip to main content

Shortcake Passkey Pairing

WhatsApp features a passkey-based companion linking protocol code-named Shortcake.

If a primary device (your phone) enforces passkey validation during device pairing (for example, directly after scanning a QR code or entering a pairing code), the server triggers a prologue request.

UDMODZ Edition fully supports the companion-side Shortcake handshake protocol when you configure a passkey signer.


How It Worksโ€‹

  1. Prologue Request: The server sends a passkey_prologue_request IQ notification with WebAuthn options.
  2. WebAuthn Assertion: The client solves the WebAuthn challenge using a registered passkey.
  3. Commitment & Nonce Scheme: Ephemeral X25519 keys and nonces are generated and exchanged.
  4. Verification: A 5-letter Crockford32 code is generated on both the phone and the companion to verify identity.
  5. Encrypted Pairing: An AES-GCM encrypted envelope is sent to finalise connection setup.

Configurationโ€‹

To enable Shortcake, supply the signPasskeyAssertion option when calling makeWASocket. This function receives the server's raw WebAuthn options and should return the resolved credential assertion.

import makeWASocket from 'amiudmodz'
import { ShortcakeAssertionSigner } from 'amiudmodz/lib/Utils/shortcake'

// Your custom signer (e.g. interfacing with a YubiKey, TPM,
// or an external authentication service)
const myPasskeySigner: ShortcakeAssertionSigner = async (requestOptions: Uint8Array) => {
// 1. Decode WebAuthn options
// 2. Prompt user/TPM to sign
// 3. Return the result
return {
credentialId: new Uint8Array([...]), // WebAuthn Credential ID
webauthnAssertion: new Uint8Array([...]) // WebAuthn Signature/Assertion
}
}

const sock = makeWASocket({
auth: state,
// Configure the passkey signer
signPasskeyAssertion: myPasskeySigner
})

Connection Events & Statesโ€‹

When the Shortcake handshake starts, connection state updates are fired:

1. passkeyRequired Stateโ€‹

If the server demands a passkey but you have not configured signPasskeyAssertion, the connection emits a warning. You can listen for this to inform users they must log in on a device that supports passkeys:

sock.ev.on('connection.update', (update) => {
if (update.passkeyRequired) {
const { hasSigner } = update.passkeyRequired
if (!hasSigner) {
console.warn("A passkey is required by WhatsApp, but no signer was provided!")
} else {
console.info("Passkey required. Initiating Shortcake handshake...")
}
}
})

2. Verification Code Verificationโ€‹

During pairing, a human-readable 5-digit verification code is derived. The library logs this code in the console so it can be compared with the code on the primary phone:

info [shortcake]: shortcake verification code code=K4B2M

If you need to display this code in a custom UI, you can intercept it from the logger.