WebAuthn allowCredentials mismatch

Error text / 报错原文

• allowCredentials mismatch
• credential ID mismatch
• Unknown credential

What it means

The server asks for a credential ID that the authenticator cannot provide for this RP ID.

Most common causes

• Credential stored for another domain
• Base64URL decode bug
• User account mapped to wrong credential
• Passkey deleted or synced late

Fastest fix

• Reproduce the smallest failing case.
• Check environment, platform, and production settings.
• Use the related local tool to classify the issue.
• Fix the highest-risk security or data issue first.

Safe fix

• Keep secrets out of client code and logs.
• Prefer least privilege and explicit allowlists.
• Add a regression test or checklist before retrying.
• Document the working production configuration.

What not to do

• Do not disable security controls as a permanent fix.
• Do not paste secrets into public issue trackers or AI chats.
• Do not trust preview success as production readiness.

Diagnostic commands

window.PublicKeyCredential
location.origin
document.querySelector("input[autocomplete*=webauthn]")

Related tools

• /tools/webauthn-error-decoder/ →
• /tools/base64url-decode/ →

Related errors

• WebAuthn NotAllowedError during passkey login →
• WebAuthn AbortError during passkey login →
• Passkey conditional UI not showing →
• WebAuthn RP ID mismatch →
• Passkey not available on Android or iOS →
• CHIPS Partitioned cookie missing SameSite=None or Secure →

Sources

• https://www.corbado.com/blog/webauthn-errors ↗
• https://developer.chrome.com/docs/identity/webauthn-conditional-create ↗