RPID Configuration
Web Application RPID Configuration
Learn how to configure and validate RPID settings for web applications, with practical examples and best practices.
For web applications, browsers take your application’s origin and check if it matches or is a subdomain of the RPID. For better understanding the concept of RPID validation, let’s take a look at the following examples:
When configuring your RPID in the Corbado Management Console, we recommend using your root domain
| RPID | Origin | Status | Explanation |
|---|---|---|---|
example.com | app.example.com | ✓ Valid | Subdomain |
example.com | auth.example.com | ✓ Valid | Subdomain |
example.com | example.com | ✓ Valid | Exact match |
example.com | other-example.com | ✗ Invalid | Different domain |
example.com | example.org | ✗ Invalid | Different domain |
app.example.com | app.example.com | ✓ Valid | Exact match |
app.example.com | example.com | ✗ Invalid | Different domain |
example.com. Only use a subdomain as RPID if you specifically need to restrict passkey usage to that subdomain.
Strictly speaking, browsers only use the origin’s domain part (e.g.
example.com from https://example.com) to validate the RPID. See WebAuthn specification for more details.