The Relaying Party

aka the application you are interacting with

The Relaying Party (or rp) corresponds to the application that will ask for the user to interact with the authenticator.

The library provides a simple class to handle the rp information: Webauthn\PublicKeyCredentialRpEntity.

use Webauthn\PublicKeyCredentialRpEntity;
$rpEntity = new PublicKeyCredentialRpEntity(
'ACME Webauthn Server' // The application name

This $rpEntity object will be useful for the next steps.

Relaying Party ID

In the example above, we created a simple relaying party object with it’s name. The relaying party may also have an ID that corresponds to the domain applicable for that rp. By default, the relaying party ID is null i.e. the current domain will be used.

It may be useful to specify the rp ID, especially if your application has several sub-domains. The rp ID can be set during the creation of the object as 2nd constructor parameter.

use Webauthn\PublicKeyCredentialRpEntity;
$rpEntity = new PublicKeyCredentialRpEntity(
'ACME Webauthn Server', // The application name
'' // The application ID = the domain

Even if it is optional, we highly recommend setting the application ID

The rp ID shall be the domain of the application without the scheme, userinfo, port, path, user…. IP addresses are not allowed either.


Not allowed:

  •,,, https://user:[email protected].

  • or [2001:db8:85a3:8d3:1319:8a2e:370:7348]

The domain localhost can be used if the browser considers the context is safe (especially the IP address corresponds to a local address)

How to determine the Relaying Party ID?

The Relaying Party ID should be determined depending on the common URLs for your web application.

If you have a web application that can be reached at (for mobiles) and or (for other devices), your Relaying Party ID should be

If the domain is shared between sub-projects, the rp ID should be limited to that sub-projects.

For example, a web site is located at https://(www.) and another at https://(www.), then the Relaying Party IDs should be and respectively. If you set, there is a risk that users from can log in at

Relaying Party Icon

Your application may also have a logo. You can indicate this logo as third argument. Please note that for safety reason this icon is a priori authenticated URL i.e. an image that uses the data scheme.

use Webauthn\PublicKeyCredentialRpEntity;
$rpEntity = new PublicKeyCredentialRpEntity(
'ACME Webauthn Server',

The Webauthn specification does not set any limit for the length of the third argument.

The icon may be ignored by browsers, especially if its length is greater than 128 bytes.