No password database
There is no password hash to steal or reuse because sign-in does not depend on a reusable password.
Passkeys remove the need for passwords in Novlet. Your device keeps the private key. The server verifies signed challenges and stores session records.
There is no password hash to steal or reuse because sign-in does not depend on a reusable password.
The browser and device sign a one-time challenge. The private key does not leave the device or password manager.
Admin access is a separate server-side allowlist in Supabase, not a client flag and not a password role.