Web Application RPID Configuration

For web applications, browsers take your application’s origin and check if it matches or is a subdomain of the RPID. For better understanding the concept of RPID validation, let’s take a look at the following examples:

RPID	Origin	Status	Explanation
`example.com`	app.example.com	✓ Valid	Subdomain
`example.com`	auth.example.com	✓ Valid	Subdomain
`example.com`	example.com	✓ Valid	Exact match
`example.com`	other-example.com	✗ Invalid	Different domain
`example.com`	example.org	✗ Invalid	Different domain
`app.example.com`	app.example.com	✓ Valid	Exact match
`app.example.com`	example.com	✗ Invalid	Different domain

When configuring your RPID in the Corbado Management Console, we recommend using your root domain example.com. Only use a subdomain as RPID if you specifically need to restrict passkey usage to that subdomain.

Strictly speaking, browsers only use the origin’s domain part (e.g. example.com from https://example.com) to validate the RPID. See WebAuthn specification for more details.

Overview Native/Mobile Application

⌘I

Overview

Flows

Architecture

Web UI Components

Integration

Features

Concepts

Helpful Guides

Security & Compliance

Web Application RPID Configuration