I’m implementing Passkey registration on iOS using ASAuthorizationPlatformPublicKeyCredentialProvider. On the server side, I’m using a WebAuthn library that throws the error UnexpectedRPIDHash: Unexpected RP ID hash during verifyRegistrationResponse().
- Domain:
pebblepath.link(publicly routable, valid SSL certificate, no warnings in Safari) - Associated Domains in Xcode**:
webcredentials:pebblepath.link - AASA file:
{ "applinks": { "apps": [] }, "webcredentials": { "apps": [ "H33XH8JMV6.com.reactivex.pebblepath" ] } } - Xcode Configuration:
- Team ID:
H33XH8JMV6 - Bundle ID:
com.reactivex.pebblepath - Associated Domains:
webcredentials:pebblepath.link
- Team ID:
- Logs:
- iOS
clientDataJSONshows"origin": "https://pebblepath.link". - Server logs confirm
expectedOrigin = "https://pebblepath.link"andexpectedRPID = "pebblepath.link". - Despite this, the server library still errors out:
finishRegistration error: UnexpectedRPIDHash.
- iOS
I’ve verified that:
- The domain has a valid CA-signed SSL cert (no Safari warnings).
- The AASA file is reachable at
https://pebblepath.link/.well-known/apple-app-site-association. - The app’s entitlements match
H33XH8JMV6.com.reactivex.pebblepath. - I’ve removed old passkeys from Settings → Passwords on the device and retried fresh.
- I’m testing on a real device with iOS 16+; I am using a Development provisioning profile, but that shouldn’t cause an RP ID mismatch as long as the domain is valid.
Every log indicates that the domain and origin match exactly, but the WebAuthn library still throws UnexpectedRPIDHash, implying iOS is embedding a different (or unrecognized) RP ID hash in the credential.
Has anyone else encountered this with iOS passkeys and a valid domain/AASA setup? Is there an extra step needed to ensure iOS recognizes the domain for passkey registration?
Any guidance or insights would be greatly appreciated!