Skip to content

Dapple Concepts

Dapple profile

A Dapple profile is tied to an individual (you), not to a single organization. One profile can include multiple accounts (for different organizations) and can be used across multiple devices.

Dapple account

A Dapple account is a container for passkeys and related metadata. You can create multiple Dapple accounts to organize passkeys (for example, separate personal and work accounts).

An account also lets you associate your Dapple profile with an organization. If your organization uses Dapple, an administrator can send you an invite token. Applying that invite links your account to the organization and allows you to create passkeys that grant access to the organization's resources.

Accounts keep passkeys grouped and labeled so it's easy to see which keys belong to which organization or purpose.

Dapple organization

A Dapple organization represents a company or team that uses Dapple to manage access to its apps and systems. Organizations can invite users to join by providing invite tokens. When you accept an invite, your Dapple account becomes associated with the organization and you can create or use passkeys scoped to that organization's resources.

Organization administrators can manage membership and view metadata (such as account nicknames), but they do not receive your biometric data or private key material.

Passkeys

  • The actual passkey material remains on the device where it was created.
  • Dapple synchronizes only metadata (creation device, last-used time, etc.) via the cloud.
  • If needed, Dapple can regenerate passkeys using biometric information enrolled in the profile.

Recovery key

  • During enrollment you are shown a recovery key (QR code). This key plus a biometric scan lets you recover your profile on a new device.
  • Any device that is enrolled with Dapple can be used to display the recovery key so that you can enroll a new device.
  • Store the recovery key securely; if you lose all your Dapple-enrolled devices, you will need a separate copy for recovery on a new device.

Credential provider

  • Dapple can be enabled as a credential provider (on Android/iOS) so passkeys created by browsers or apps can be saved directly into Dapple.

Restricted domains

A restricted domain is a DNS domain that an organization claims and verifies as belonging to them. When an organization verifies control of a domain (by publishing a DNS TXT record that contains a cryptographic verification string generated from the organization's admin portal), the domain can be marked as "restricted" for that organization.

When a domain is restricted, any Dapple passkey created for usernames that use that domain (for example, user@company.com) can be associated with and managed by the organization. This allows organization administrators to discover and manage passkeys tied to their domain (for example, to assist with troubleshooting, or to monitor usage).

How to claim a restricted domain (high level): - An organization administrator generates a verification token from the Dapple admin portal. - The administrator publishes the token as a DNS TXT record on the domain to prove control. - Dapple verifies the DNS record (verification may take time due to DNS propagation) and marks the domain as restricted for that organization.

Notes and caveats: - Restricted domains affect passkeys created for usernames in that domain; they do not grant access to users' biometrics or private keys. - Adding a restricted domain only affects new passkey creation for passkeys scoped to that domain, existing passkeys are unaffected.