WebAuthn NotAllowedError during passkey login

Error text / 报错原文

• NotAllowedError
• The operation either timed out or was not allowed
• passkey login NotAllowedError

What it means

The passkey request was cancelled, timed out, blocked by browser policy, or could not find a usable credential.

Most common causes

• No user gesture
• Timeout too short
• Credential not available
• RP ID mismatch

Fastest fix

• Reproduce the smallest failing case.
• Check environment, platform, and production settings.
• Use the related local tool to classify the issue.
• Fix the highest-risk security or data issue first.

Safe fix

• Keep secrets out of client code and logs.
• Prefer least privilege and explicit allowlists.
• Add a regression test or checklist before retrying.
• Document the working production configuration.

What not to do

• Do not disable security controls as a permanent fix.
• Do not paste secrets into public issue trackers or AI chats.
• Do not trust preview success as production readiness.

Diagnostic commands

window.PublicKeyCredential
location.origin
document.querySelector("input[autocomplete*=webauthn]")

Related tools

• /tools/webauthn-error-decoder/ →
• /tools/passkey-readiness-checker/ →

Related errors

• WebAuthn AbortError during passkey login →
• Passkey conditional UI not showing →
• WebAuthn allowCredentials mismatch →
• WebAuthn RP ID mismatch →
• Passkey not available on Android or iOS →
• CHIPS Partitioned cookie missing SameSite=None or Secure →

Sources

• https://www.corbado.com/blog/webauthn-errors ↗
• https://developer.chrome.com/docs/identity/webauthn-conditional-create ↗