diff --git a/server/api/auth/register-passkey.post.js b/server/api/auth/register-passkey.post.js
index d879cf7..26116de 100644
--- a/server/api/auth/register-passkey.post.js
+++ b/server/api/auth/register-passkey.post.js
@@ -55,10 +55,26 @@ export default defineEventHandler(async (event) => {
   }
 
   const { origin, rpId, requireUV } = getWebAuthnConfig()
+  
+  // Debug: Prüfe die tatsächliche Origin aus der Response
+  const clientData = response?.response?.clientDataJSON
+  let actualOrigin = null
+  if (clientData) {
+    try {
+      const decoded = Buffer.from(clientData, 'base64').toString('utf-8')
+      const parsed = JSON.parse(decoded)
+      actualOrigin = parsed.origin
+    } catch (e) {
+      console.warn('[DEBUG] Could not parse clientDataJSON:', e)
+    }
+  }
+  
   console.log('[DEBUG] WebAuthn config for verification', {
-    origin,
+    expectedOrigin: origin,
+    actualOriginFromResponse: actualOrigin,
     rpId,
-    requireUV
+    requireUV,
+    originMatch: origin === actualOrigin
   })
 
   console.log('[DEBUG] Verifying registration response...')
diff --git a/server/utils/webauthn-config.js b/server/utils/webauthn-config.js
index b4cfa57..93d9128 100644
--- a/server/utils/webauthn-config.js
+++ b/server/utils/webauthn-config.js
@@ -2,8 +2,15 @@ function deriveFromBaseUrl() {
   const base = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
   try {
     const u = new URL(base)
+    // Für HTTPS (Port 443) den Port weglassen, da er standardmäßig ist
+    // Für andere Ports (z.B. Dev auf 3100) den Port beibehalten
+    const port = u.port && u.port !== '443' && u.port !== '80' ? `:${u.port}` : ''
+    const origin = u.protocol === 'https:' && !port
+      ? `${u.protocol}//${u.hostname}`
+      : `${u.protocol}//${u.hostname}${port}`
+    
     return {
-      origin: `${u.protocol}//${u.host}`,
+      origin,
       rpId: u.hostname
     }
   } catch {
@@ -16,10 +23,33 @@ export function getWebAuthnConfig() {
 
   const rpId = process.env.WEBAUTHN_RP_ID || derived.rpId
   const rpName = process.env.WEBAUTHN_RP_NAME || 'Harheimer TC'
-  const origin = process.env.WEBAUTHN_ORIGIN || derived.origin
+  // WEBAUTHN_ORIGIN hat Priorität, sonst von BASE_URL ableiten
+  // WICHTIG: Origin sollte KEINEN Port enthalten für HTTPS (443 ist Standard)
+  let origin = process.env.WEBAUTHN_ORIGIN || derived.origin
+  
+  // Sicherstellen, dass HTTPS-Origins keinen Port haben (außer es ist explizit gesetzt)
+  if (origin.startsWith('https://') && !process.env.WEBAUTHN_ORIGIN) {
+    try {
+      const u = new URL(origin)
+      if (u.port === '443' || (!u.port && u.protocol === 'https:')) {
+        origin = `https://${u.hostname}`
+      }
+    } catch {
+      // Ignore
+    }
+  }
 
   const requireUV = (process.env.WEBAUTHN_REQUIRE_UV || '').toLowerCase() === 'true'
 
+  console.log('[DEBUG] WebAuthn Config', {
+    rpId,
+    rpName,
+    origin,
+    requireUV,
+    webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
+    baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL
+  })
+
   return { rpId, rpName, origin, requireUV }
 }