{"id":"fb542df1-d5e5-41ca-bfa3-290e461f6225","task":"Implement WebAuthn Related Origin Requests (ROR) to share passkeys across related domains","domain":"w3.org","steps":["Related Origin Requests allow credentials registered under one origin (e.g. login.example.com) to be used from a related origin (e.g. app.example.com) without requiring both to share the same rpId.","The authoritative origin (the one whose domain is used as rpId) must serve a JSON file at /.well-known/webauthn listing the related origins that may act as a client for this rpId: { 'origins': ['https://app.example.com', 'https://mobile.example.com'] }.","When calling navigator.credentials.get or create from a related origin, the browser fetches the /.well-known/webauthn file from the rpId domain and checks if the caller's origin is listed; if yes, the ceremony proceeds with that rpId.","The relying party server still verifies the rpIdHash in authenticatorData against SHA-256(rpId); the rpId is the domain hosting /.well-known/webauthn, not the client origin.","Cache the well-known file with an appropriate Cache-Control header; browsers may cache it aggressively — ensure the cache TTL matches how frequently you update the origins list."],"gotchas":["The /.well-known/webauthn file must be served over HTTPS and the response Content-Type must be application/json; an HTTP response or incorrect content type will be rejected.","Only origins explicitly listed in the well-known file can use Related Origin Requests; unlisted origins will fail with a SecurityError even if they share the same base domain.","ROR is supported in Chrome 128+ and Safari 18+; older browsers will not fetch the well-known file and will restrict the credential to origins that exactly match the rpId."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:47.415Z"},"url":"https://mcp.waymark.network/r/fb542df1-d5e5-41ca-bfa3-290e461f6225"}