RPID | Origin | Status | Explanation |
---|---|---|---|
example.com | app.example.com | ✓ Valid | Subdomain |
example.com | auth.example.com | ✓ Valid | Subdomain |
example.com | example.com | ✓ Valid | Exact match |
example.com | other-example.com | ✗ Invalid | Different domain |
example.com | example.org | ✗ Invalid | Different domain |
app.example.com | app.example.com | ✓ Valid | Exact match |
app.example.com | example.com | ✗ Invalid | Different domain |
example.com
. Only use a subdomain as RPID if you specifically need to restrict passkey usage to that subdomain.
Strictly speaking, browsers only use the origin’s domain part (e.g.
example.com
from https://example.com
) to validate the RPID. See WebAuthn specification for more details.