Skip to content

Clarify whether RP ID's matching origin should be included in ROR origins entry #456

New issue
New issue
Open
#457
Open
Clarify whether RP ID's matching origin should be included in ROR origins entry#456
#457
Labels
contentneeds-triage
@Kieun

Description

@Kieun
Kieun
opened on Dec 24, 2025

Issue with existing content

Link to content

https://passkeys.dev/docs/advanced/related-origins/

What is the issue?

The documentation examples show the RP ID's matching origin included in the origins array of the /.well-known/webauthn JSON document, which may cause confusion about whether this is required or recommended.

For example, when RP ID is shopping.com, the examples include "https://shopping.com" in the origins array:

{
  "origins": [
    "https://shopping.com",
    "https://shopping.co.uk",
    "https://shopping.co.jp",
    ...
  ]
}

Since https://shopping.com is already the valid origin for RP ID shopping.com through standard WebAuthn without ROR, it's unclear whether:

  1. Including the matching origin is required by the specification
  2. It's optional but recommended for consistency
  3. It's simply redundant but harmless
  4. It should be excluded as it's already implicitly valid

Proposed changes

The documentation should explicitly clarify whether the RP ID's matching origin should be included in the origins array or not. Suggested additions:

Any other notes

This affects implementers who need to decide how to construct their origins array and may be confused by seeing what appears to be redundant information in the examples without explanation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    contentneeds-triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions