Localhost Gotcha: Too Many Dev Passkeys

What goes wrong

If you develop multiple apps on localhost, they all share the same RP ID.
You can accumulate multiple resident credentials bound to localhost.
A passkey-first flow may show several choices with weak app-level distinction.
The OS picker cannot always infer which local app you meant.

Practical ways to handle it

Prefer account-first login in local development when the picker gets noisy.
Periodically delete stale localhost passkeys from your device.
Use separate local hostnames when you need cleaner isolation.
Expect localhost to be convenient for dev, but imperfect when many apps coexist.

What The Server Must Verify And Store

Verification and storage

type RegistrationVerification = {
  challenge: string;
  origin: string;
  rpId: string;
  credentialId: Uint8Array;
  publicKey: Uint8Array;
  signCount: number;
};

Verify the challenge matches what you issued.
Verify the origin matches your allowed origins.
Verify the rpId matches your configured site identity.

What you keep for later

credentialId so you can look up the right passkey later
publicKey for verifying future assertions
signCount as a cloned-key warning signal

If the signature counter goes backwards or stops behaving as expected, treat it as suspicious and trigger extra review or recovery.