What is the Android Credential Manager API?

It is a single Jetpack API for handling sign-in and credential creation on Android. Where supporting different credential types used to mean integrating separate APIs for passwords, federated sign-in, and passkeys, Credential Manager consolidates them: you call it to create a credential at registration or get one at sign-in, and the system presents a unified account selector drawing on the user's installed credential providers. So the app works through one API and one coherent UI, and that single flow includes passkeys alongside passwords and federated sign-in like Sign in with Google.

What credential types does Credential Manager support?

Passkeys, passwords, and federated sign-in, through one interface. Passkeys, built on FIDO and WebAuthn, are passwordless and phishing-resistant because the credential is bound to your site or app and cannot be entered on a look-alike. Passwords are still supported, retrieved from the user's credential provider. Federated sign-in such as Sign in with Google is handled through the same API. A unified system UI ties these into one account selector, backed by the user's installed password and passkey managers, so one integration offers users whichever credential they have, with passkeys as the strongest.

Should I adopt passkeys through Credential Manager?

Yes, passkeys are the preferred option to encourage. Because they are passwordless and phishing-resistant, they remove password reuse and phishing risk, and Credential Manager makes them available through the same flow as passwords and federated sign-in, so adopting them does not require a separate path. Offer passkey creation so users can move to passkeys, while keeping passwords and federated sign-in for users who need them. Treating passkeys as the strongest option you promote, within one unified flow, is the modern approach the API is designed to enable.

How do I check my app's authentication handling?

Scan the build. A pre-submission scan such as PTKD.com reads the compiled APK or AAB against OWASP MASVS and assesses how your app handles authentication and credentials, which helps you confirm you are using a modern sign-in approach and handling credentials appropriately. The client integration with Credential Manager is code you write, and the server-side verification that makes the flow trustworthy, validating a passkey assertion as the relying party, is implemented on your backend, where the actual authentication decision is enforced.

The Android Credential Manager API

Sign-in on Android used to mean stitching together several APIs: one for passwords, another for Google sign-in, something else for newer passkeys. The Credential Manager API replaces that with a single Jetpack API and a single system sign-in UI that handles passkeys, passwords, and federated sign-in together. The reason it matters for security, not just convenience, is that it makes passkeys, the phishing-resistant, passwordless credential, a first-class option through the same flow, and presents users one consistent account picker backed by their credential providers. Here is what the Credential Manager API is, what it brings together, and how to use it well.

Short answer

The Credential Manager API is a unified Android (Jetpack) API for sign-in that brings passkeys, passwords, and federated sign-in such as Sign in with Google into one interface and one system UI. Per Android, it replaces the older, fragmented sign-in APIs with a single flow for creating and retrieving credentials, and presents users a consistent account selector backed by their installed credential providers. Its security significance is that it makes passkeys, a phishing-resistant, passwordless credential, a first-class option, while still supporting passwords and federated sign-in. As the client-side API, it handles obtaining the credential; your server, the relying party, must still verify the result, especially validating a passkey assertion. Use it to offer modern, phishing-resistant sign-in through one consistent flow.

What you should know

Credential Manager unifies sign-in: passkeys, passwords, and federated, in one API.
It replaces fragmented older APIs: a single flow and system UI.
It makes passkeys first-class: phishing-resistant, passwordless sign-in.
It is the client-side API: your server still verifies the result.
It uses installed credential providers: presenting a consistent account picker.

What is the Credential Manager API?

It is a single API for handling sign-in and credential creation on Android. Historically, supporting different credential types meant integrating separate APIs, one approach for saved passwords, another for federated sign-in like Sign in with Google, and a newer one for passkeys, each with its own flow and UI. Credential Manager consolidates these into one Jetpack API: you call it to create a credential when a user registers, or to get a credential when they sign in, and the system presents a unified UI, a bottom-sheet account selector, that draws on the user's installed credential providers, such as password managers and passkey providers. So instead of the app orchestrating multiple sign-in mechanisms and interfaces, it works through one API and the user gets one coherent experience. Crucially, this single flow includes passkeys alongside passwords and federated sign-in, which is what lets an app adopt modern authentication without building a separate path for it.

What does it bring together?

The main credential types, through one interface. The table lists them.

Credential type	Role
Passkeys	Phishing-resistant, passwordless sign-in (FIDO/WebAuthn)
Passwords	Saved passwords from a credential provider
Federated sign-in	Sign in with Google and similar
Unified system UI	One account selector across these types
Credential providers	Password and passkey managers backing the picker

The headline inclusion is passkeys: built on FIDO and WebAuthn standards, they are passwordless and resistant to phishing because the credential is bound to your site or app and cannot be entered on a look-alike, and Credential Manager makes them available through the same flow as everything else. Passwords are still supported, retrieved from the user's credential provider, so existing password sign-in continues to work. Federated sign-in, such as Sign in with Google, is handled through the same API too. The unified system UI ties these together into one account selector, and the user's installed credential providers, their password and passkey managers, back the choices presented. The practical effect is one integration that offers users whichever credential they have, with passkeys promoted as the strongest option.

How do you use it well?

Adopt it for sign-in, prefer passkeys, and verify on the server. Use Credential Manager as your sign-in and registration path so you support passkeys, passwords, and federated sign-in through one flow rather than maintaining separate integrations, and offer passkey creation so users can move to phishing-resistant, passwordless sign-in. Treat passkeys as the preferred option you encourage, since they remove password reuse and phishing risk, while keeping passwords and federated sign-in for users who need them. Remember that Credential Manager is the client side of authentication: it obtains a credential or a passkey assertion, but your backend, as the relying party, must verify that result, validating a passkey assertion against the registered credential according to the WebAuthn flow, and never treating a client-side success as proof on its own. Handle credential creation and retrieval per the API's flow, and keep your server-side verification rigorous. The principle is that Credential Manager gives you one modern, passkey-capable sign-in flow on the client, while authentication is only as strong as the server-side verification behind it.

What to watch out for

The first trap is treating a client-side sign-in result as proof, when your server must verify the credential or passkey assertion as the relying party. The second is sticking to passwords only and not offering passkeys, missing the phishing-resistant option the API makes available. The third is maintaining the old fragmented sign-in APIs instead of consolidating onto Credential Manager. The client integration is code you write, and a pre-submission scan such as PTKD.com (https://ptkd.com), which reads the compiled APK or AAB against OWASP MASVS, assesses how your app handles authentication and credentials, while the server-side verification that makes the flow trustworthy is yours to implement on the backend.

What to take away

The Credential Manager API is a unified Android sign-in API that brings passkeys, passwords, and federated sign-in into one flow and one system account selector.
It replaces the older fragmented sign-in APIs and makes passkeys, phishing-resistant and passwordless, a first-class option through the same flow.
It is the client-side API: prefer passkeys, keep passwords and federated sign-in for those who need them, and verify the credential or passkey assertion on your server as the relying party.
Use a pre-submission scan such as PTKD.com to assess your app's authentication and credential handling, and implement rigorous server-side verification.