Choose a primary RP ID (e.g. example.com) that all related origins will share; the RP ID must be a registrable domain suffix of all participating origins
Serve a JSON file at https://{rpId}/.well-known/webauthn containing {"origins": ["https://app.example.com", "https://checkout.example.com"]} listing all related origins
Ensure the JSON is served with Content-Type: application/json and is accessible without redirects; the file is fetched by the browser at registration and authentication time
In your WebAuthn calls on each related origin, set rpId explicitly to the primary RP ID rather than letting the browser default to the current origin
Test across Chrome (supported from v129) and Safari (supported); note Firefox support was still in progress as of early 2026
Validate that the origin making the WebAuthn call is listed in the .well-known/webauthn file to avoid silent failures
Known gotchas
The .well-known/webauthn file is fetched by the browser, not the server — CORS headers are not required for it, but it must return HTTP 200 with valid JSON
You can list at most a platform-defined number of origins in the JSON array; the spec does not define a hard cap but browser implementations may enforce limits — keep the list minimal
ROR does not work across registrable domain boundaries: example.com and different-example.com cannot share passkeys via this mechanism regardless of the well-known file
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp