Skip to main content
Version: 1.0.0

RPID and Allowed Origins

What is RPID?

The Relying Party ID (RPID) represents the allowed domain where your passkeys are permitted to function. When creating or authenticating with a passkey, the RPID is compared to the current URL of the browser. If there is a mismatch, an exception is thrown, halting the authentication process.

The following JSON payload is an example of what can be received from LoginID:

{
"rp": {
"name": "LoginID Dashboard",
"id": "loginid.io"
},
"user": {
"id": "eFqlnnp7jra76YoRTod7KA",
"displayName": "johnny@loginid.io",
"name": "johnny@loginid.io"
},
"challenge": "jidrZ1NFFPX_Q84OZ0sG3sd_asUwooueQzg9Bdd4LZY",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
}
],
"timeout": 60000,
"authenticatorSelection": {
"requireResidentKey": true,
"residentKey": "required",
"userVerification": "required"
},
"attestation": "none",
"extensions": {},
"session_id": "Ri9nZ-6L4NNWmn_uVRnIwg"
}

This payload is received in the browser, and the RPID here is loginid.io. If an attempt is made to authenticate with a passkey on https://example.com, the process would fail due to the RPID and domain mismatch. The only allowed domains that can accept this RPID are:

What are Allowed Origins?

Allowed origins are a security measure to ensure that authentication requests are only accepted from trusted and specified origins. This helps protect user passkeys and ensures that sensitive authentication processes occur in a secure and controlled environment.

If you do not specify an allowed origin, LoginID will default it based on the entered RPID value (https:// + {{RPID Value}}). Explicitly specifying allowed origins is only necessary when dealing with subdomains and port numbers.

Choosing Your RPID Value and Allowed Origins

When configuring your tenant settings, you'll encounter various scenarios for entering the RPID and Allowed Origins. Here are some common cases. It's important to note that you need to be careful when choosing an RPID value for your tenant in production. Once assigned, it cannot be changed.

For example, if your RPID is set to loginid.io and your application is running on https://auth.loginid.io and https://login.loginid.io, you would need to specify both origins: https://auth.loginid.io and https://login.loginid.io.

Single Root Domains

If your application is hosted on a single root domain, you can use the domain as the RPID value. Here are some practical examples.

Website URLRPID ValueAllowed Origin
https://example.comexample.comhttps://example.com
https://example.caexample.cahttps://example.ca
https://auth.example.caauth.example.cahttps://auth.example.com

The Allowed Origins will always default to https:// + {{RPID Value}} if not entered.

Subdomains

If you are working with multiple subdomains and want passkeys to work under all of them, enter the RPID value as follows:

Website URLRPID ValueAllowed Origin
https://auth.example.comexample.comhttps://auth.example.com
https://login.example.comexample.comhttps://login.example.com
https://sub.auth.example.comexample.comhttps://sub.auth.example.com

By entering the value as example.com, your passkeys will work under all the associated domains above. You also need to enter all allowed origins.

localhost

You can also work with a localhost test environment. The RPID value will always be localhost. The allowed origin is important in this case, and the URL should contain the port number as well (if applicable).

Website URLRPID ValueAllowed Origin
http://localhost:3000localhosthttp://localhost:3000
http://localhostlocalhosthttp://localhost

During our tests, we observed that the localhost environment does not work with a subdomain setup on its own. If you want to work with subdomains, you'll need a self-signed certificate in your local setup with your server and switch over to HTTPS.