In a WebAuthn registration response, what does the rp (Relying Party) entry contain, and why does it matter for security?
rp identifies the website the credential belongs to (its ID/domain) — binding each credential to one origin is what makes WebAuthn phishing-resistant.
The rp field names the relying party (e.g. id: "webauthn.io"). The credential the authenticator creates is scoped to that relying party ID.
This origin-binding is the heart of WebAuthn's anti-phishing property: the browser will only release/use a credential for the exact origin it was registered to. If a user lands on webauth-io.evil.com instead of webauthn.io, the browser simply won't offer the real credential — there's no matching rp ID, so there's nothing for the fake site to steal. A password, by contrast, would be happily typed into the look-alike page.
Tip: This is the structural reason passkeys "can't be phished" — the browser, not the fallible user, enforces that credentials only work on the genuine domain.