Why Novlet uses passkeys

Passkeys remove the need for passwords in Novlet. Your device keeps the private key. The server verifies signed challenges and stores session records.

No password database

There is no password hash to steal or reuse because sign-in does not depend on a reusable password.

Device-backed proof

The browser and device sign a one-time challenge. The private key does not leave the device or password manager.

Manual admin allowlist

Admin access is a separate server-side allowlist in Supabase, not a client flag and not a password role.

Read user agreement