Skip to content

Relying Party ID (rpId)

In the WebAuthn specification, your application is called a Relying Party — you are relying on the browser and authenticator to verify the user’s identity. The Relying Party ID (rpId) is the domain name that identifies your application and that passkeys are cryptographically bound to.

Because passkeys are bound to a specific rpId, a passkey registered on legit.com cannot be used to authenticate on evil.com. This is a core part of how passkeys resist phishing attacks.

The browser origin combines the scheme, hostname, and port: https://app.example.com:443. The rpId is just the effective domain component, with no scheme or port: app.example.com.

The WebAuthn specification requires the rpId to be either the page’s exact hostname, or a registrable domain suffix of it. This means:

Browser originValid rpId values
https://app.example.comapp.example.com, example.com
https://example.comexample.com

Each Passlock tenancy has its own rpId, configured in the Passlock console under your tenancy’s passkey settings. Passlock passes this value to the browser when generating registration and authentication options, so all passkeys created within a tenancy are bound to that tenancy’s rpId.

Passlock tenancy settings Passlock tenancy settings

If you need to accept passkeys from a different domain — for example after a domain migration — see Domain migration.

The Development tenancy has relaxed rpId rules to improve the local development experience.

You can register and authenticate passkeys on http://localhost or https://localhost regardless of what rpId is set in the console. No extra configuration is needed.

If no rpId is configured in the Passlock console for your Development tenancy, Passlock will infer the rpId from the browser’s origin at registration time.

For example, if a user registers a passkey while their browser is on http://staging.mydomain.com, Passlock will use staging.mydomain.com as the rpId for that passkey. This lets you test against any domain without manually updating the console each time.