Passkey RP ID Debugger

Find the WebAuthn RP ID and origin issues that break passkey login before launch, all in your browser

Analysis runs entirely in your browser. The pasted WebAuthn options, page origin, RP IDs, usernames, display names, domains, and error text are not uploaded, logged, or stored, and no passkey ceremony is run. This flags likely RP ID and origin setup issues before launch; it is a review aid that checks the configuration shape, not the live ceremony.

Paste your WebAuthn options and the page origin above, then select Diagnose passkey RP ID to see the RP ID and origin issues most likely to break a passkey ceremony, with the RP-ID-versus-origin and secure-context checks first.

About the passkey RP ID debugger

The passkey RP ID debugger turns a pasted WebAuthn options object into a short report of the relying-party-ID and origin issues most likely to break a passkey ceremony before it reaches the authenticator. It reads the PublicKeyCredential options you pass to navigator.credentials.create or navigator.credentials.get (raw or wrapped in a publicKey object), pulls out the RP ID, and checks it against the page origin you provide: whether the RP ID is equal to or a registrable parent suffix of the origin host, whether the RP ID is a public suffix or an IP address, whether the RP ID looks like a URL instead of a bare domain, whether the origin is a secure context, and whether the RP ID is missing. The issues most likely to fail are listed first.

Paste your options and origin, then select Diagnose passkey RP ID. A sample whose RP ID does not align with the origin is loaded so you can see the findings right away, and an optional error box lets you paste the browser message you saw so the report can corroborate it. Everything runs in your browser. The pasted options, origin, RP IDs, usernames, display names, domains, and error text are never uploaded or stored, and no passkey ceremony is run. Download a findings CSV for the full report or copy a markdown diagnosis card to paste into a pull request, a ticket, or a runbook.

How to use

  1. Paste your WebAuthn options into the first box. A sample is loaded so you can see how it works.
  2. Use the object you pass to navigator.credentials.create or .get, raw or wrapped in { publicKey: ... }.
  3. Enter the page origin the ceremony runs on, for example https://login.example.com.
  4. Optionally paste the browser error text you saw so the report can corroborate it.
  5. Select Diagnose passkey RP ID to read the RP ID, run the registrable-suffix and secure-context checks, and apply the rule set.
  6. Read the summary and the findings table. The highest-severity issues are listed first, critical before high and medium.
  7. Select Download findings CSV for the full report, or Copy diagnosis card to paste a markdown summary into a pull request or runbook.

Worked examples

An RP ID that is not a suffix of the origin flags a critical mismatch

When the RP ID is neither equal to nor a registrable parent suffix of the origin host, the browser rejects the ceremony with a SecurityError, so the mismatch is reported as critical.

A non-HTTPS origin flags an insecure context

WebAuthn only runs over HTTPS or on a localhost loopback, so a plain http origin is reported as a critical insecure-context issue.

An RP ID set to a public suffix is rejected

An RP ID of com or co.uk is a public suffix that a passkey cannot be scoped to, so it is flagged as critical with a suggestion to use the registrable domain instead.

Frequently asked questions

What does the passkey RP ID debugger check for?
It checks whether your WebAuthn relying-party configuration has the issues most likely to break a passkey ceremony. It reads the RP ID from your PublicKeyCredential options (rp.id for creation, rpId for a request) and checks it against the page origin: whether the RP ID is equal to or a registrable parent suffix of the origin host, whether the RP ID is a public suffix or an IP address, whether it looks like a URL instead of a bare domain, whether the RP ID is missing, and whether the origin is a secure context. It also adds informational notes for conditional-UI autocomplete and the cross-origin Permissions-Policy. The highest-severity issues are listed first.
Does it run a passkey ceremony or call my authenticator?
No. It never calls navigator.credentials.create or navigator.credentials.get and it does not contact a server. It reads the structure of your options object and applies fixed rules. It is a review aid that surfaces likely configuration gaps; it does not guarantee that an options object it flags clean succeeds at runtime, because the live result also depends on the authenticator, the stored credentials, and the user gesture.
What is an RP ID and why must it match the origin?
The relying party ID (RP ID) is the domain a passkey is scoped to. The browser requires the RP ID to be equal to the page origin's effective domain or a registrable parent suffix of it: example.com is valid for login.example.com, but auth.example.com is not valid for login.example.com because it is a sibling subdomain, not a parent. A mismatch is the most common reason a passkey ceremony fails with a SecurityError, which is why the card lists it first.
Which options formats does it accept?
JSON for either ceremony: the creation options (with rp, user, challenge, and pubKeyCredParams) and the request options (with rpId and allowCredentials). You can paste the raw options object or the wrapper form, { publicKey: { ... } }, that you pass to the credentials API. Malformed input fails closed: the tool reports that the options could not be parsed rather than throwing. Large pastes are bounded so one parse cannot freeze the tab.
Is my options object or error text uploaded anywhere?
No. Parsing, the rule checks, and the export all run in your browser. The pasted options, origin, RP IDs, usernames, display names, domains, and error text are never sent to a server or saved. Analytics records only a coarse finding-count band, the highest severity, and a boolean for whether an RP-ID mismatch was found, never the pasted content. Download the findings CSV or copy the diagnosis card before you close the tab.
Can I keep a record of the diagnosis?
Yes. Download findings CSV gives you a spreadsheet-ready file with one row per finding, and any cell that could be read as a spreadsheet formula is escaped so the export is safe to open. Copy diagnosis card gives you a markdown summary, highest severity first, that you can paste into a pull request, a ticket, or a runbook.

Use this again tomorrow

Save this page so it's one tap away when you need a quick result.

Bookmark this tool

Ready for a quick Daily Challenge?

Play Daily Challenge on sts.games

Related tools

Try another quick utility while you are here.

Webhook Signature Debug Lab

Verify an HMAC webhook signature against a raw payload in your browser.

Browser Extension Permission Diff

Diff two extension manifests for risky permission changes before approval.

API Error Contract Diff

Diff two API error responses for breaking changes before release.