Relying Party ID (rpId)

In the WebAuthn specification, your application is called a Relying Party — you are relying on the browser and authenticator to verify the user’s identity. The Relying Party ID (rpId) is the domain name that identifies your application and that passkeys are cryptographically bound to.

Because passkeys are bound to a specific rpId, a passkey registered on legit.com cannot be used to authenticate on evil.com. This is a core part of how passkeys resist phishing attacks.

rpId vs browser origin

The browser origin combines the scheme, hostname, and port: https://app.example.com:443. The rpId is just the effective domain component, with no scheme or port: app.example.com.

The WebAuthn specification requires the rpId to be either the page’s exact hostname, or a registrable domain suffix of it. This means:

Browser origin	Valid rpId values
https://app.example.com	app.example.com, example.com
https://example.com	example.com

Caution

Setting a broad rpId (e.g. example.com when the origin is app.example.com) means any subdomain of example.com can also register and authenticate passkeys for that rpId. For most applications, using the exact hostname is the safer choice.

Your tenancy rpId

Each Passlock tenancy has its own rpId, configured in the Passlock console under your tenancy’s passkey settings. Passlock passes this value to the browser when generating registration and authentication options, so all passkeys created within a tenancy are bound to that tenancy’s rpId.

If you need to accept passkeys from a different domain — for example after a domain migration — see Domain migration.

Development tenancy rules

The Development tenancy has relaxed rpId rules to improve the local development experience.

localhost is always allowed

You can register and authenticate passkeys on http://localhost or https://localhost regardless of what rpId is set in the console. No extra configuration is needed.

rpId inference

If no rpId is configured in the Passlock console for your Development tenancy, Passlock will infer the rpId from the browser’s origin at registration time.

For example, if a user registers a passkey while their browser is on http://staging.mydomain.com, Passlock will use staging.mydomain.com as the rpId for that passkey. This lets you test against any domain without manually updating the console each time.

Danger

rpId inference is only available in the Development tenancy. Staging and Production tenancies require an explicit rpId to be set in the console.

Caution

Because the rpId is inferred per-registration, passkeys registered from different origins within the same Development tenancy will have different rpIds. A passkey registered on http://staging.mydomain.com will not be usable on http://app.mydomain.com, even within the same tenancy.