---
id: TASK-51.4
title: 'Phase 4: Simplify EncryptID and WebAuthn for single domain'
status: To Do
assignee: []
created_date: '2026-02-25 07:47'
labels:
  - infrastructure
  - domains
  - migration
  - auth
dependencies:
  - TASK-51.3
parent_task_id: TASK-51
priority: medium
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Prune WebAuthn Related Origins, JWT audience claims, and CORS allowedOrigins now that all modules are on rspace.online.

Files: server/index.ts (.well-known/webauthn), public/.well-known/webauthn, src/encryptid/session.ts (JWT aud), src/encryptid/server.ts (allowedOrigins + HTML templates).
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [ ] #1 Passkey login works on rspace.online
- [ ] #2 No CORS errors for auth flows
- [ ] #3 JWT aud is rspace.online only
- [ ] #4 .well-known/webauthn no longer lists standalone domains
<!-- AC:END -->