Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.corbado.com/llms.txt

Use this file to discover all available pages before exploring further.

Try Demo

Talk to Adoption Engineer

Whitepaper
For web applications, browsers take your application’s origin and check if it matches or is a subdomain of the RPID. For better understanding the concept of RPID validation, let’s take a look at the following examples:
RPIDOriginStatusExplanation
example.comapp.example.com✓ ValidSubdomain
example.comauth.example.com✓ ValidSubdomain
example.comexample.com✓ ValidExact match
example.comother-example.com✗ InvalidDifferent domain
example.comexample.org✗ InvalidDifferent domain
app.example.comapp.example.com✓ ValidExact match
app.example.comexample.com✗ InvalidDifferent domain
When configuring your RPID in the Corbado Management Console, we recommend using your root domain example.com. Only use a subdomain as RPID if you specifically need to restrict passkey usage to that subdomain.
Strictly speaking, browsers only use the origin’s domain part (e.g. example.com from https://example.com) to validate the RPID. See WebAuthn specification for more details.