---
id: TASK-51.4
title: 'Phase 4: Simplify EncryptID and WebAuthn for single domain'
status: Done
assignee: []
created_date: '2026-02-25 07:47'
updated_date: '2026-03-12 04:51'
labels:
  - infrastructure
  - domains
  - migration
  - auth
dependencies:
  - TASK-51.3
parent_task_id: TASK-51
priority: medium
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Prune WebAuthn Related Origins, JWT audience claims, and CORS allowedOrigins now that all modules are on rspace.online.

Files: server/index.ts (.well-known/webauthn), public/.well-known/webauthn, src/encryptid/session.ts (JWT aud), src/encryptid/server.ts (allowedOrigins + HTML templates).
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [ ] #1 Passkey login works on rspace.online
- [ ] #2 No CORS errors for auth flows
- [ ] #3 JWT aud is rspace.online only
- [ ] #4 .well-known/webauthn no longer lists standalone domains
<!-- AC:END -->

## Implementation Notes

<!-- SECTION:NOTES:BEGIN -->
**2026-03-11:** Pruned allowedOrigins from ~30 entries to 16 (removed all r*.online standalone app domains that now 301 to rspace.online). Kept: rspace.online subdomains, ridentity.online (EncryptID's own domain), rsocials.online ecosystem, canvas-website migration, localhost. Simplified JWT aud from full origins array to single 'rspace.online' string. Removed rwallet.online from SIWE allowedDomains. Updated webauthn related origins (removed rwallet, kept ridentity + rsocials ecosystem). Updated EncryptID HTML template links to use rspace.online paths instead of r*.online domains. ridentity.online kept as canonical EncryptID/OIDC domain per user decision.
<!-- SECTION:NOTES:END -->