diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index 0be522e..4eb399a 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -367,14 +367,22 @@ app.use('*', cors({
 // ============================================================================
 
 // Serve .well-known/webauthn for Related Origins
-// Only list non-rspace.online origins here — *.rspace.online subdomains are
-// automatically valid because rspace.online is the RP ID.
-// Keep to max 5 eTLD+1 labels to stay within browser limits.
+// Browsers enforce a 5 eTLD+1 limit. Only list domains where passkey
+// ceremonies happen directly (OIDC authorize, admin pages).
+// *.rspace.online subdomains work automatically (RP ID = rspace.online).
 app.get('/.well-known/webauthn', (c) => {
-  const nonRspaceOrigins = CONFIG.allowedOrigins.filter(
-    o => o.startsWith('https://') && !o.endsWith('.rspace.online') && o !== 'https://rspace.online'
-  );
-  return c.json({ origins: nonRspaceOrigins });
+  // Priority origins — these domains actually trigger passkey auth in-browser.
+  // Each unique eTLD+1 counts toward the 5-origin limit.
+  const origins = [
+    'https://ridentity.online',           // OIDC authorize + admin (eTLD+1 #1)
+    'https://auth.ridentity.online',
+    'https://rsocials.online',            // Postiz ecosystem (eTLD+1 #2)
+    'https://demo.rsocials.online',
+    'https://socials.crypto-commons.org', // (eTLD+1 #3)
+    'https://socials.p2pfoundation.net',  // (eTLD+1 #4)
+    'https://rwallet.online',            // (eTLD+1 #5)
+  ];
+  return c.json({ origins });
 });
 
 // Health check — includes database connectivity