How It Works
⚡ 5 min readTranscodes provides passkey login, step-up verification, RBAC, audit logs, and member management through the SDK and Console, with optional MCP tooling for AI-assisted setup and admin operations. Under the hood, every credential is based on cryptographic proof: your private key never leaves your device, and we only store public keys
Even if Transcodes servers are fully compromised, your credentials remain safe. There is nothing to steal
DPoP: Proof of Possession
- Private key generated and stored on device
- Public key registered with Transcodes server once
- On login: device signs a challenge, server verifies with public key
- JWT issued — private key never transmitted
Server Breach? No Problem.
| What’s on the server | Attacker gets | Risk |
|---|---|---|
| Public keys | Useless without private key | None |
| Encrypted metadata | Cannot decrypt without key | None |
Credential Encryption
| Layer | What’s Protected | Encryption |
|---|---|---|
| In-Memory | Access tokens | AES-256-GCM |
| Browser Storage | Private keys | Platform encryption |
| Server-Side | Server JWT (x-transcodes-token), metadata | AES-256 at rest |
| In Transit | All API communication | TLS 1.3 |
Access tokens are in memory only—never written to localStorage or cookies, eliminating XSS token theft
Supported Authentication Methods
| Method | Use Case | Examples |
|---|---|---|
| Passkey (WebAuthn) | Primary login (biometrics) | Face ID, Touch ID, Windows Hello |
| TOTP | Step-up auth / MFA backup | Google Authenticator, Authy |
| Hardware Security Key | High-assurance / admin access | YubiKey, Titan Key (FIDO2) |
| Recovery / backup sign-in | 6-digit code to your verified address |
- Cross-device: QR code-based passkey login (phone → desktop)
- Synced passkeys via iCloud Keychain, Google Password Manager, Microsoft account
- Email codes are typically used when passkeys or other factors are unavailable (recovery path), not as a day-to-day password replacement
Recovery Process
Register at least two authentication methods (e.g. passkey + YubiKey, passkey + TOTP, or passkey + verified email for recovery codes) for maximum recovery coverage
Next Steps
Last updated on