diff --git a/spec/controllers/auth/sessions_controller_spec.rb b/spec/controllers/auth/sessions_controller_spec.rb
index 3cc3460718..713ea3ff16 100644
--- a/spec/controllers/auth/sessions_controller_spec.rb
+++ b/spec/controllers/auth/sessions_controller_spec.rb
@@ -412,44 +412,4 @@ RSpec.describe Auth::SessionsController do
       end
     end
   end
-
-  describe 'GET #webauthn_options' do
-    subject { get :webauthn_options, session: { attempt_user_id: user.id } }
-
-    let!(:user) do
-      Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
-    end
-
-    context 'with WebAuthn and OTP enabled as second factor' do
-      let(:domain) { "#{Rails.configuration.x.use_https ? 'https' : 'http'}://#{Rails.configuration.x.web_domain}" }
-
-      let(:fake_client) { WebAuthn::FakeClient.new(domain) }
-
-      before do
-        user.update(webauthn_id: WebAuthn.generate_user_id)
-        public_key_credential = WebAuthn::Credential.from_create(fake_client.create)
-        user.webauthn_credentials.create(
-          nickname: 'SecurityKeyNickname',
-          external_id: public_key_credential.id,
-          public_key: public_key_credential.public_key,
-          sign_count: '1000'
-        )
-        post :create, params: { user: { email: user.email, password: user.password } }
-      end
-
-      it 'returns http success' do
-        subject
-
-        expect(response).to have_http_status 200
-      end
-    end
-
-    context 'when WebAuthn not enabled' do
-      it 'returns http unauthorized' do
-        subject
-
-        expect(response).to have_http_status 401
-      end
-    end
-  end
 end
diff --git a/spec/requests/auth/sessions/security_key_options_spec.rb b/spec/requests/auth/sessions/security_key_options_spec.rb
new file mode 100644
index 0000000000..6246e4beb3
--- /dev/null
+++ b/spec/requests/auth/sessions/security_key_options_spec.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'webauthn/fake_client'
+
+RSpec.describe 'Security Key Options' do
+  describe 'GET /auth/sessions/security_key_options' do
+    let!(:user) do
+      Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
+    end
+
+    context 'with WebAuthn and OTP enabled as second factor' do
+      let(:domain) { "#{Rails.configuration.x.use_https ? 'https' : 'http'}://#{Rails.configuration.x.web_domain}" }
+
+      let(:fake_client) { WebAuthn::FakeClient.new(domain) }
+      let(:public_key_credential) { WebAuthn::Credential.from_create(fake_client.create) }
+
+      before do
+        user.update(webauthn_id: WebAuthn.generate_user_id)
+        Fabricate(
+          :webauthn_credential,
+          user_id: user.id,
+          external_id: public_key_credential.id,
+          public_key: public_key_credential.public_key
+        )
+        post '/auth/sign_in', params: { user: { email: user.email, password: user.password } }
+      end
+
+      it 'returns http success' do
+        get '/auth/sessions/security_key_options'
+
+        expect(response)
+          .to have_http_status 200
+        expect(response.content_type)
+          .to start_with('application/json')
+      end
+    end
+
+    context 'when WebAuthn not enabled' do
+      it 'returns http unauthorized' do
+        get '/auth/sessions/security_key_options'
+
+        expect(response)
+          .to have_http_status 401
+        expect(response.content_type)
+          .to start_with('application/json')
+      end
+    end
+  end
+end