Step-up Auth
⚡ 3 min readAlready signed in, but the action is dangerous — prove it again with biometrics on Transcodes Auth. Same flow for web apps (SDK) and AI agents (transcodes-guard); only the caller differs.
When step-up applies
RBAC permission level 2 (allow + step-up) on a {resource}:{action} pair. Level 0 blocks; level 1 proceeds without MFA.
Configure the matrix in RBAC. Actions are always create · read · update · delete.
Shared flow
| Surface | Who calls | Human UI | Who polls |
|---|---|---|---|
| Web app | redirectToStepUp() | New tab on Transcodes Auth | SDK in your page |
| AI agent | transcodes-guard hook / MCP | Browser tab (auto-opened) | Agent via poll_stepup_session_wait |
Session TTL: 10 minutes. MFA UI is never embedded in your app or IDE — always the hosted auth page.
Audit trail
Step-up always leaves before and after records: gate decision when the session opens, then mcp:stepup (or {resource}:{action}) when MFA completes. See Webhook → What transcodes-guard records.
Guide
Legacy modal docs (openStepUpModal) live under Archives. New integrations use redirects only.