Relying Party Identifier
RP-ID.
The WebAuthn identifier (typically a registrable domain) that scopes a passkey credential to a specific origin, the most-misconfigured field in passkey deployments.
RP-ID changes are one-way doors: passkeys registered under one RP-ID stop working when the RP-ID changes. Plan the RP-ID at deployment time, default to the apex domain, and only narrow the scope when a specific architectural reason justifies it.
Common questions
What should I set RP-ID to?
Can I change RP-ID after deployment?
Why don't my passkeys work across subdomains?
Related terms
In the guides
Passwordless Authentication: A 2026 Practitioner's Guide
How passkeys, magic links, and biometrics replace passwords in CIAM, with implementation patterns, adoption data, and vendor support.
WebAuthn Explained: How Passkeys Work Under the Hood
WebAuthn is the W3C browser API that powers passkeys. A practical explanation of registration, assertion, RP-IDs, attestation, and the architecture choices that determine adoption.