diff --git a/README-service.md b/README-service.md
index afdd1248..9144bd01 100644
--- a/README-service.md
+++ b/README-service.md
@@ -361,7 +361,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
 `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
-`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp` or `""`.  An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp`, `passkey` or `""`.  An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
 `ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
 `ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
diff --git a/plugins/modules/ipaservice.py b/plugins/modules/ipaservice.py
index 1e270b5e..7d6b1992 100644
--- a/plugins/modules/ipaservice.py
+++ b/plugins/modules/ipaservice.py
@@ -74,7 +74,7 @@ options:
         type: list
         elements: str
         required: false
-        choices: ["otp", "radius", "pkinit", "hardened", "idp", ""]
+        choices: ["otp", "radius", "pkinit", "hardened", "idp", "passkey", ""]
         aliases: ["krbprincipalauthind"]
       skip_host_check:
         description: Skip checking if host object exists.
@@ -192,7 +192,7 @@ options:
     type: list
     elements: str
     required: false
-    choices: ["otp", "radius", "pkinit", "hardened", "idp", ""]
+    choices: ["otp", "radius", "pkinit", "hardened", "idp", "passkey", ""]
     aliases: ["krbprincipalauthind"]
   skip_host_check:
     description: Skip checking if host object exists.
@@ -560,7 +560,7 @@ def init_ansible_module():
         auth_ind=dict(type="list", elements="str",
                       aliases=["krbprincipalauthind"],
                       choices=["otp", "radius", "pkinit", "hardened", "idp",
-                               ""]),
+                               "passkey", ""]),
         skip_host_check=dict(type="bool"),
         force=dict(type="bool"),
         requires_pre_auth=dict(
diff --git a/tests/service/test_service_empty_string_params.yml b/tests/service/test_service_empty_string_params.yml
index 1831e496..1d7af6ec 100644
--- a/tests/service/test_service_empty_string_params.yml
+++ b/tests/service/test_service_empty_string_params.yml
@@ -5,6 +5,8 @@
   gather_facts: yes
 
   tasks:
+  - name: Include tasks ../env_freeipa_facts.yml
+    ansible.builtin.include_tasks: ../env_freeipa_facts.yml
 
   # CLEANUP TEST ITEMS
 
@@ -83,6 +85,37 @@
     register: result
     failed_when: result.changed or result.failed
 
+  - name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with auth_ind passkey
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "test-service/{{ ansible_facts['fqdn'] }}"
+      auth_ind:
+        - passkey
+    register: result
+    failed_when: not result.changed or result.failed
+    when: passkey_is_supported
+
+  - name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with auth_ind passkey, again
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "test-service/{{ ansible_facts['fqdn'] }}"
+      auth_ind:
+        - passkey
+    register: result
+    failed_when: result.changed or result.failed
+    when: passkey_is_supported
+
+  - name: Check if correct message is given if passkey is not supported.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: "test-service/{{ ansible_facts['fqdn'] }}"
+      auth_ind:
+        - passkey
+    register: result
+    failed_when: not result.failed or "'passkey' is not supported" not in result.msg
+    when: not passkey_is_supported
+
   - name: Ensure service "test-service/{{ ansible_facts['fqdn'] }}" is present with empty auth_ind
     ipaservice:
       ipaadmin_password: SomeADMINpassword