`localhost` Is Special

What works in local development

rp: { id: "localhost", name: "My Dev App" }

Why this matters

localhost is treated as a secure context even without TLS.
Ports are ignored for RP ID identity.
A credential created on :3000 can work on :8000.
This is convenient for dev, but those credentials are not portable to production domains.

Localhost Gotcha: Too Many Dev Passkeys

What goes wrong

Practical ways to handle it

Prefer account-first login in local development when the picker gets noisy.
Periodically delete stale localhost passkeys from your device.
Use separate local hostnames when you need cleaner isolation.
Expect localhost to be convenient for dev, but imperfect when many apps coexist.