diff --git a/server/index.ts b/server/index.ts
index 4c44345..e12673f 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -125,15 +125,19 @@ const app = new Hono();
 app.use("/api/*", cors());
 
 // ── .well-known/webauthn (WebAuthn Related Origins) ──
+// Browsers enforce a 5 eTLD+1 limit. Only list domains where passkey
+// ceremonies happen directly. Must match encryptid/server.ts priority list.
 app.get("/.well-known/webauthn", (c) => {
 	return c.json(
 		{
 			origins: [
-				"https://rwallet.online",
-				"https://rvote.online",
-				"https://rmaps.online",
-				"https://rfiles.online",
-				"https://rnotes.online",
+				"https://ridentity.online",           // OIDC authorize + admin (eTLD+1 #1)
+				"https://auth.ridentity.online",
+				"https://rsocials.online",            // Postiz ecosystem (eTLD+1 #2)
+				"https://demo.rsocials.online",
+				"https://socials.crypto-commons.org", // (eTLD+1 #3)
+				"https://socials.p2pfoundation.net",  // (eTLD+1 #4)
+				"https://rwallet.online",             // (eTLD+1 #5)
 			],
 		},
 		200,