Skip to main content

Using passkeys across multiple domains

Passkeys are a specific implementation of a FIDO2 authenticator. Passkeys are normally tied to a specific website, which means that a single passkey cannot be used across related websites. The Related Origin Requests (ROR) feature solves this problem by allowing websites to specify origins that are allowed to use their relying party ID. This means, that if you host your web application on multiple branded or country-specific domains, you can allow your users to reuse the same passkey when moving between specified domains.

To use this feature, only a few server-side configurations are required:

  • Host a JSON file named webauthn in the Relying Party IDs well-known path /.well-known/webauthn.
  • Ensure the content-type of the response is application/json.
  • The JSON document must have a member named origins, containing an array of valid origins for use with passkeys scoped for the RP ID.
example
{
  "origins": [
    "https://muvonda.ch",
    "https://muvonda.com",
    "https://myotherservice.co"
  ]
}
info

For more information about configuring Related Origin Requests for your web application, see passkeys.dev.