diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index a133119..fe03c16 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -194,7 +194,17 @@ const app = new Hono();
 // Middleware
 app.use('*', logger());
 app.use('*', cors({
-  origin: CONFIG.allowedOrigins,
+  origin: (origin) => {
+    // Allow all *.rspace.online subdomains dynamically (any canvas slug)
+    if (origin === 'https://rspace.online' || origin?.endsWith('.rspace.online')) {
+      return origin;
+    }
+    // Allow explicit r* ecosystem origins
+    if (CONFIG.allowedOrigins.includes(origin)) {
+      return origin;
+    }
+    return undefined;
+  },
   allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
   allowHeaders: ['Content-Type', 'Authorization'],
   credentials: true,
@@ -236,15 +246,15 @@ function resolveRpId(c: any): string {
   try {
     const url = new URL(origin);
     const hostname = url.hostname;
-    // Check if this origin is in our allowed list
+    // All *.rspace.online subdomains use rspace.online as RP ID
+    if (hostname.endsWith('.rspace.online') || hostname === 'rspace.online') {
+      return 'rspace.online';
+    }
+    // Check if this origin is in our explicit allowed list
     const isAllowed = CONFIG.allowedOrigins.some(o => {
       try { return new URL(o).hostname === hostname; } catch { return false; }
     });
     if (isAllowed && hostname !== 'localhost') {
-      // For *.rspace.online subdomains, use rspace.online
-      if (hostname.endsWith('.rspace.online') || hostname === 'rspace.online') {
-        return 'rspace.online';
-      }
       // For other allowed origins, use their domain as RP ID
       return hostname;
     }