RP ID: The Rule That Trips People Up

The RP ID is always a domain name. It never includes scheme or port.
example.com works for https://example.com and https://app.example.com.
app.example.com is narrower and only works for that exact subdomain.
evil.com cannot claim example.com; the browser rejects the request.

rp: { id: "example.com", name: "Example App" }
// later
rpId: "example.com"

Diagram showing RP ID and origin binding for WebAuthn

Why Phishing Resistance Works

1. Browser validation

The browser checks that the RP ID is compatible with the current page origin.
You cannot call WebAuthn on evil.com and pretend to be google.com.

2. Signed origin data

The signed payload includes clientDataJSON.
That data carries the full origin, such as https://example.com.
Your server must verify it.

3. Fresh challenge

Every ceremony uses a new random challenge.
Replaying an old assertion should fail verification.
The result is proof for this site, on this origin, right now.