Implementation Guide

⚡ 7 min read

Security best practices for integrating Transcodes authentication into your application.

Important: Transcodes provides authentication services only. Application security, including protection against XSS, CSRF, and other client-side attacks, is your responsibility.

HTTPS Requirement

WebAuthn requires a secure context (HTTPS). The SDK will not function over plain HTTP.

Allowed in development:

localhost
127.0.0.1

Required in production:

Valid TLS certificate (HTTPS)
Properly configured SSL/TLS

Token Security

Use the SDK’s Built-in Storage

Let Transcodes handle token storage. The SDK securely manages access tokens in LocalStorage and private keys in IndexedDB.


// Recommended: Let the SDK handle storage automatically
const token = await transcodes.token.getAccessToken();

Never manually store tokens in cookies or custom storage. The SDK’s storage is designed for security.

Secure Token Transmission


// Always use Authorization header
fetch('/api/protected', {
  headers: {
    Authorization: `Bearer ${await transcodes.token.getAccessToken()}`,
  },
});

Never:

Include tokens in URLs (?token=xxx)
Log tokens to console in production
Store tokens in global variables

Server-Side Verification

Never trust client-side token validation alone. Always verify tokens on your server.

Verification Checklist

When verifying JWT tokens from Transcodes:

Check	What to Verify
Signature	Validate using Transcodes public key (RS256)
Issuer (`iss`)	Must be `https://auth.transcodes.io`
Audience (`aud`)	Must match your Project ID
Expiration (`exp`)	Must be in the future

Example (Node.js)


const jwt = require('jsonwebtoken');
 
const decoded = jwt.verify(token, TRANSCODES_PUBLIC_KEY, {
  algorithms: ['RS256'],
  issuer: 'https://auth.transcodes.io',
  audience: 'YOUR_PROJECT_ID',
});

Content Security Policy

Configure CSP headers to allow Transcodes SDK resources:


Content-Security-Policy:
  script-src 'self' https://cdn.transcodes.link;
  connect-src 'self' https://api.transcodes.io;
  frame-src 'self' https://auth.transcodes.io;

HTML Meta Tag Alternative


<meta
  http-equiv="Content-Security-Policy"
  content="
  default-src 'self';
  script-src 'self' https://cdn.transcodes.link;
  connect-src 'self' https://api.transcodes.io;
  frame-src 'self' https://auth.transcodes.io;
"
/>

Rate Limiting

Protect your backend from abuse by implementing rate limiting on authentication-related endpoints:

Recommended limits:

Login attempts: 10 per 15 minutes per IP
Token verification: 100 per minute per user
Account creation: 5 per hour per IP

Transcodes already implements rate limiting on its API. These recommendations are for your own backend endpoints that interact with Transcodes tokens.

Security Checklist

Development

Test on HTTPS (or localhost)
Configure CSP headers
Implement server-side token verification
Review error messages (avoid information leakage)

Production

Enable HTTPS with valid certificate
Remove all console.log statements containing tokens
Enable rate limiting on your API
Configure security headers (HSTS, X-Frame-Options, etc.)
Set up monitoring and alerting

Ongoing Maintenance

Keep SDK version up to date
Subscribe to security advisories
Conduct periodic security audits
Review access logs regularly

Contact

Found a security issue? Report responsibly:

Email: security@transcodes.io

We acknowledge reports within 24 hours and work with you to resolve issues promptly.

Next Steps

Privacy & Data Handling - Privacy practices and data handling
API Reference - Full SDK documentation
Architecture - How Transcodes works

Last updated on January 2, 2026

Trust & Compliance Overview