Architecture
⚡ 6 min readDeep dive into Transcodes’ technical architecture and security model.
System Overview
Transcodes WebWorker handles all authentication complexity in the browser:
What the WebWorker provides:
- Pre-built components with one function call
- Automatic token management
- Event-driven auth state updates
- In-memory accessible access token with AES-256-GCM encryption
- Secure web storage for storing private credentials
Core Components
TokenManager
Handles access token lifecycle:
interface TokenManager {
getCurrentUser(): Promise<User | null>; // Get user from JWT payload
getAccessToken(): Promise<string | null>; // Auto-refreshes if expired
hasToken(): boolean; // Sync check
hasPrivateKey(): Promise<boolean>; // Check Private Key in storage for generating access token
validateToken(): boolean; // Validate without refresh
isAuthenticated(): Promise<boolean>; // Full validation
signOut(): Promise<void>; // Clear all credentials
}EventEmitter
Reactive event system for auth state changes:
| Event | When Fired |
|---|---|
AUTH_STATE_CHANGED | Login, logout, or initial auth check |
TOKEN_REFRESHED | Access token automatically renewed |
TOKEN_EXPIRED | Token expired (before refresh) |
ERROR | Authentication error occurred |
See API Reference for event payload details.
Zero-Knowledge Architecture
Transcodes implements a zero-knowledge security model where your private key never leaves your device:
| Aspect | Traditional Auth | Transcodes |
|---|---|---|
| Secret Storage | Server-side | Client-side only |
| Server Breach Risk | Credentials exposed | Nothing to steal |
| Provider Trust | Must trust provider | Cryptographically verifiable |
| Phishing Risk | Credentials can be stolen | Keys bound to origin |
Key principles:
- Private Key Isolation: Generated and stored exclusively in encrypted browser storage
- Cryptographic Proof: Authentication uses digital signatures, not shared secrets
- No Server Secrets: Transcodes servers only store public keys
- Origin Binding: Keys are bound to your domain, preventing phishing
Security Model
Data Storage
| Location | Data | Purpose |
|---|---|---|
| User’s Browser | Encrypted credentials & tokens | Secure authentication state |
| Transcodes Server | Public keys, metadata | Token verification |
| Your Server | JWT Token (optional) | API authorization |
Security Standards
- Encryption: Industry-standard cryptographic algorithms
- Authentication: Challenge-response protocol with digital signatures
- Privacy: No attestation data collected
- Token Format: Standard JWT (JSON Web Token)
DPOP (Proof of Possession) Private Key
Traditional OAuth stores secrets on servers. Transcodes keeps credentials in the browser:
- Unphishable: Key is bound to only user physical device
- Confidentiality: No one can see user’s private key
- User control: User can control his/her own private credential data in browser by himself/herself
Token Refresh Flow
Access tokens are automatically refreshed using secure credentials stored in the browser. When you call getAccessToken(), the SDK:
- Returns cached token if still valid
- Otherwise, authenticates using stored credentials
- Requests a fresh token from Transcodes server
- Emits
TOKEN_REFRESHEDevent
No refresh token needed—the private key serves as traditional refresh token
Browser Support
| Browser | Minimum Version | WebAuthn Support |
|---|---|---|
| Chrome | 67+ | Full |
| Safari | 14+ | Full |
| Firefox | 60+ | Full |
| Edge | 79+ | Full (Chromium) |
WebAuthn requires HTTPS in production. localhost is allowed for
development.
Next Steps
- Quick Start - Get started in 5 minutes
- API Reference - Full SDK documentation
- Integration Guides - Framework-specific guides