{"id":"c11495ce-cb86-4bc0-8e5c-e6a9c97d92d7","task":"Correctly scope relying party ID (rpId) and handle cross-subdomain passkey sharing","domain":"w3.org","steps":["rpId must be a registrable domain suffix of the effective domain of the page origin; for a page at app.example.com you may set rpId to 'app.example.com' or 'example.com' but not 'other.com' or 'com'.","Choose rpId at the eTLD+1 level (e.g. 'example.com') if you want credentials to be usable across subdomains (app.example.com, auth.example.com); credentials registered with a narrower rpId cannot be used at a broader one.","The rpIdHash in authenticatorData is SHA-256(rpId); the server must compute SHA-256 of its expected rpId and compare byte-for-byte with the hash in authenticatorData during both registration and authentication verification.","For Related Origin Requests (allowing a credential registered on one origin to be used on a related origin), serve a /.well-known/webauthn JSON file listing the allowed origins from the authoritative origin domain.","When an application moves from a subdomain to a root domain (or vice versa), existing credentials registered under the old rpId cannot be migrated — users must re-enroll."],"gotchas":["Setting rpId to 'localhost' is only valid during local development; it cannot be used in production and will not match any production origin.","Public suffix list (PSL) boundaries apply — you cannot set rpId to a public suffix like 'co.uk' or 'github.io'; the browser enforces PSL-awareness to prevent tenant confusion.","If the rpId is specified incorrectly during authentication (does not match the registration rpId), the authenticator will silently find no matching credential and the ceremony will fail with a generic error."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:30.178Z"},"url":"https://mcp.waymark.network/r/c11495ce-cb86-4bc0-8e5c-e6a9c97d92d7"}