# Transcodes AI Integration Guide

---

## [Table of Contents]

### Agent directives & rules
- [Global Agent Directives] — security, parameter resolution, video references
- [Global Implementation Rules] — try-catch, loading state, await
- **[Default Integration Method] — CDN static (HTML `<head>`) is the ONLY supported default. npm SDK is deprecated.**
- **[MCP Runtime Boundary] — MCP is an AI-tool transport, NOT a customer app backend.**
- [Code Contract] — mandatory rules every code block must satisfy
- [Public Auth API Surface] — hosted auth redirects + typed modal compatibility
- [Quick Use Cases] — when to call each auth API
- [Common Session Rule] — session requirements per API
- [Blocking Parameter Rule] — stop and ask for resource / action (hosted step-up) when unknown
- [Placeholder Resolution Policy] — RESOLVED_* are required inputs, not final values
- [Index & Tags] — keyword → section mapping

### MCP Server Integration
- MCP Server setup — install in Claude Desktop, Cursor, or Codex for project setup/admin assistance
- Available MCP tools — members, roles, resources, audit logs, permissions for AI-assisted operations
- Migration Guide — moving existing users and roles to Transcodes via AI-tool MCP, not customer runtime code

### How It Works & Architecture
- Core security model — WebAuthn, DPoP, browser memory tokens, RP ID binding
- System Context: Disney World Scenario — entity mapping and authentication flow analogy

### Section 1 — Optional PWA/Web App Kit Setup (manifest + sw.js) — CDN static
- PWA — HTML + service worker (required only for installable PWA, CDN static, `defer`)
- DO NOT list — prohibited actions
- Required PWA wiring (`<link rel="manifest">` + `<script defer>` in `<head>` + one-line `public/sw.js`)
  - React (Vite / CRA) / Vue.js — native `<script defer>` in `index.html` `<head>`
  - Next.js App Router — native `<script defer>` in `<head>`, no `next/script`
  - All frameworks — `sw.js` placement rules
- PWA Setup — docs & Console panels
- SDK note — isPwaInstalled()

### Section 2 — Admin Authentication, Operations & Management
- Integration Methods (CDN-first)
  - **Option A — HTML / CDN static (DEFAULT, REQUIRED unless explicitly told otherwise)** — `<script defer>` in `<head>`, no `init()`, `transcodes.d.ts` MUST be added
  - Option B — npm SDK fallback — DEPRECATED; do not use for new integrations
- CDN vs npm naming comparison table
- TranscodesInitOptions (deprecated npm legacy only)
- Dynamic SDK utility methods — isInitialized, setConfig, getBuildInfo

### Core APIs
- Framework Integration: Must-Know — focus trap, composedPath, updateComplete, CSS isolation
- 1. Hosted sign-in — `redirectToSignIn` + automatic callback bootstrap
- 2. Hosted member console — `redirectToConsole`
- 3. Hosted step-up MFA — `redirectToStepUp` + `handleStepUpReturnPage`
- 4. Token API — getCurrentMember (→ GetCurrentMemberResult), getAccessToken, hasToken, isAuthenticated, signOut
- 5. Member API — getMember (fresh from API)
- 6. Events API — AUTH_STATE_CHANGED, TOKEN_REFRESHED, TOKEN_EXPIRED, ERROR, MEMBER_REVOKED (admin-side suspension / revocation)
- 7. trackUserAction — audit logs

### Type definitions & patterns
- Type Definitions — Member, ApiResponse, hosted redirect option/result types, TokenAPI, GetCurrentMemberResult, GetCurrentMemberFailureReason
- Framework setup (quick reference) — CDN static for every framework (React+Vite, Next.js, Vue3); npm variants are omitted for generated integrations
- **Framework-specific access pattern (CSR vs SSR)** — when `transcodes.*` is safe vs when you must guard with `typeof window !== 'undefined' && window.transcodes` (Next.js / Remix / Astro / SvelteKit pitfall)
- Quick start example (CDN static — Authentication-only DEFAULT)
- **CDN TypeScript setup — MANDATORY** — fetch `https://www.transcodes.io/instructions/types` → save as `transcodes.d.ts` → wire `tsconfig.json`
- React SDK helper aliases
- npm fallback examples — omitted for generated integrations
- Step-up MFA example (CDN static — DEFAULT)

### Server & infrastructure
- Server-side JWT verification — public_key.json, jose, ES256
  - Node.js / Next.js (jose)
  - Python (PyJWT)
- CSP (Content Security Policy)
- WebAuthn / redirect origins — hosted WebAuthn ceremonies belong to the auth app (`https://auth.transcodes.io` in prod). `authentication.related_origins` is only the hosted sign-in redirect callback allow-list. Do not generate customer `/.well-known/webauthn` files for normal integrations.

### Reference
- Release Checklist
- .transcodes Integration Record — create after setup, read before modifying; record hosted sign-in callback origins and note that customer `/.well-known/webauthn` was not generated
- Browser support
- Scope: Transcodes vs Your App + frontend security recommendations
- Links — docs, Console, CDN
- Video Tutorials

### Troubleshooting
- PWA / sw.js — GET 404, install prompt never appears, manifest 404
- SDK loading (CDN) — window.transcodes undefined, TypeScript errors, init() conflict
- SSR `ReferenceError` — `transcodes is not defined` / `window is not defined` on Next.js / Remix / Astro / SvelteKit (TypeScript will not catch this)
- Hosted auth redirects — redirect not starting, result.success false, resource / action errors
- JWT / server-side — algorithm errors, kid mismatch, getAccessToken null, getCurrentMember errors
- RBAC — resource/action resolution (Console + MCP)
- CSP / network — script blocked, CORS errors
- General checklist — 10-point sanity check

---

<!-- section:critical-directives:start -->
## CRITICAL AGENT DIRECTIVES

<critical_rules>

> **READ THIS BEFORE GENERATING ANY CODE.**
> You are an AI implementation assistant for Transcodes, a passkey-first authentication platform (SDK CDN/npm, Console, MCP) for admin authentication, operations, and management (passkey login, RBAC, step-up auth, audit logs, member management).
> **You MUST strictly adhere to the following rules.**

### 1. Integration Method Rule (CDN Static is the ONLY Default)
- **ALWAYS default to CDN static integration. Use npm sdk library only if the user explicitly requests it or confirms they cannot use the CDN method**
- **NEVER** use the npm SDK fallback for new integrations. It is deprecated until the SDK is reintroduced after stabilization.
- **NEVER** call `init()` on the CDN static path.
- **REQUIRED HTML for Authentication-only:** Add one `<script src=".../webworker.js" defer></script>` to the `<head>`.
- **PWA/Web App Kit assets are conditional:** Add `<link rel="manifest">` and `public/sw.js` only when the user asks for installable PWA/Web App Kit.
- **REQUIRED ATTRIBUTE:** The script tag **MUST** use `defer`. Do NOT use `type="module"`, `crossorigin`, or `async`.

### 2. TypeScript Rule (Mandatory for CDN Static)
- **`transcodes.d.ts` is MANDATORY** for any TypeScript project using the CDN static method.
- **DO NOT ASSUME IT EXISTS.** Verify its existence. If missing, you MUST create it by fetching from `https://www.transcodes.io/instructions/types`.
- **`tsconfig.json` MUST BE UPDATED.** You MUST add the directory containing `transcodes.d.ts` to **BOTH** `include` AND `typeRoots`. Skipping this will cause a compile error.

### 3. Framework Access Pattern Rule (CSR vs SSR)
- **CSR (Vite, CRA, Vue SPA):** Use the bare `transcodes.*` global everywhere.
- **SSR/RSC (Next.js, Remix, Astro, SvelteKit):** You **MUST** guard SDK calls. Calling `transcodes.*` at the module top-level or in server renders will throw a `ReferenceError`.
  - **Rule:** Only call `transcodes.*` inside browser-only paths (`useEffect`, event handlers) OR guard it with `if (typeof window !== 'undefined' && window.transcodes)`.

### 4. Parameter Resolution Rule
- If a required parameter (like `projectId`, `resource`, or `action`) is missing, **STOP AND ASK** the user. Do NOT hallucinate or guess security parameters.
- If Transcodes MCP is available, use it to resolve resources/roles first.

### 5. MCP Runtime Boundary Rule
- **MCP is NOT a customer application backend.** `http://localhost:<port>/mcp`, `/mcp`, `tools/list`, and `tools/call` are MCP client transports for AI tools such as Claude, Cursor, and Codex. They are not browser, Vue, React, Next.js, or app-server integration endpoints.
- **NEVER generate customer app code that calls MCP HTTP endpoints.** Do not put `/mcp`, `tools/list`, `tools/call`, or `http://localhost:<port>/mcp` in browser code, framework code, API routes, server actions, backend controllers, or fetch helpers.
- **NEVER expose `TRANSCODES_TOKEN` to a customer app.** `TRANSCODES_TOKEN` belongs only in the MCP host configuration. Browser apps use the CDN static SDK; app backends use server-only Transcodes API tokens such as `MEMBER_API_TOKEN` when a backend verification call is required.
- For requests such as "build a Vue todo app", "add auth to a React app", or "wire Transcodes into Next.js", generate CDN static SDK integration: resolve the real `projectId`, resolve the CDN base, install `transcodes.d.ts`, add `<script src=".../webworker.js" defer></script>`, and call `transcodes.*` APIs in client-safe code.
- Use MCP only as an AI-tool helper to inspect or manage project state (`get_project`, `get_resources`, `get_roles`, member/RBAC tools). If MCP returns 401 or is unavailable, do not guess values; ask the user to confirm the real project ID, CDN base, resource, role, or Console setting.

---

### [Default Integration Method — CDN STATIC IS THE ONLY DEFAULT]

1. **Always default to CDN static integration.** For Authentication-only, add one native script tag to the HTML `<head>`:

   ```html
   <head>
     <script src="{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/webworker.js" defer></script>
   </head>
   ```

   Do **not** add a manifest link or create `public/sw.js` for Authentication-only.

   If the user explicitly needs installable PWA/Web App Kit, then also add the manifest and one-line service worker:

   ```html
   <link rel="manifest" href="{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/manifest.json" />
   ```

   ```javascript
   // public/sw.js — entire file, one line
   importScripts('{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/sw.js');
   ```

2. **The SDK script tag MUST use `defer`.** Do NOT use `type="module"`. Do NOT add `crossorigin` / `crossOrigin`. Do NOT use `async`. Do NOT use Next.js `<Script>` / framework loaders. Plain `<script src="…" defer></script>` only.

3. **CDN static REQUIRES `transcodes.d.ts` for any TypeScript project. Skipping any sub-step here is a compile error.** This is a strict 3-step procedure — execute it as a sequence, do not assume any step is already done:

   **Step 3a — Check if `transcodes.d.ts` exists in the repo** (e.g. `types/transcodes.d.ts`, `src/types/transcodes.d.ts`, or anywhere on the `tsconfig.json` `include` path).
   - **If the file is MISSING → you MUST create it** by fetching from `https://www.transcodes.io/instructions/types` (or download/copy the same file from the Transcodes Console). Do not skip this step because the file "should be there" — verify, then create if absent:
     ```bash
     mkdir -p types
     curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
     ```
   - **If the file EXISTS → still confirm it is up-to-date** by re-running `curl` (or comparing the version comment).

   **Step 3b — TypeScript projects MUST update `tsconfig.json`** so the compiler picks up the file. **Without this edit, every `transcodes.*` (or `window.transcodes.*`) call site will throw a TypeScript compile error** (`Cannot find name 'transcodes'` for the bare form, or `Property 'transcodes' does not exist on type 'Window & typeof globalThis'` for the explicit form). Add the directory containing `transcodes.d.ts` to **both** `include` AND `typeRoots`:
     ```jsonc
     {
       "compilerOptions": {
         "typeRoots": ["./node_modules/@types", "./types"]
       },
       "include": ["src", "types"]
     }
     ```

   **Step 3c — Verify by running `tsc --noEmit`** (or your framework's type-check command). If `window.transcodes` is still untyped, `tsconfig.json` was not edited correctly — go back to Step 3b.

   For non-TypeScript (plain JS) projects you can skip Step 3b/3c, but Step 3a is still recommended so editors can offer autocomplete via JSDoc.

4. **Do NOT call `init()` on the CDN static path.** `webworker.js` bootstraps `window.transcodes` automatically — `projectId` is encoded in the URL.

5. **Do NOT install the npm SDK package.** The npm package is **deprecated for new integrations** until the SDK is reintroduced after stabilization. If the user asks for npm, explain that the supported path is CDN static (`<script defer>` in `<head>` + `transcodes.d.ts`) and proceed with CDN unless they explicitly override after that warning.

6. **All later code in this document — Quick start, Framework setup, Step-up examples — assumes CDN static unless explicitly labelled as npm.**

7. **Modal & SDK call syntax — CDN static is the default; access everything through the `transcodes` global.** `transcodes.d.ts` declares `var transcodes: Window['transcodes']`, so the bare `transcodes.*` form (preferred) and the explicit `window.transcodes.*` form are equivalent at runtime and both type-check.

   **Framework rule (CSR vs SSR):**
   - **Vite / CRA / pure SPA (no SSR)** — use bare `transcodes.*` everywhere. Both forms work; the bare form is shorter.
   - **Next.js (App Router & Pages) / Remix / Astro / SvelteKit (any framework with an SSR or RSC pass)** — bare `transcodes.*` is safe **only inside browser-only code paths** (`useEffect`, `useLayoutEffect`, event handlers, post-mount logic). For module top-level, RSC bodies, server loaders, or `getServerSideProps` / `getStaticProps`, **either form throws `ReferenceError` at runtime** (the type system will not catch this — `.d.ts` declares the global as always-present). Guard with `typeof window !== 'undefined' && window.transcodes` before any module-level access.

   See **Framework-specific access pattern** below for the full per-framework matrix and idiomatic SSR-safe patterns. **Always pick the access form based on the user's framework, not by default.** Reserve `window.transcodes` for the feature-detection guard; use bare `transcodes.*` for the actual calls inside browser-only scopes.

   Do **not** emit bare npm SDK imports for new integrations.

   **Namespace rule**: CDN exposes `transcodes.token.*` and `transcodes.member.*` as the only namespaces; hosted auth redirect APIs + `on`/`off` + `trackUserAction` + `isPwaInstalled` are top-level on `transcodes.*`. The deprecated npm wrapper is not a supported target for new code. The exact mapping:

   | Operation                  | CDN static (DEFAULT)                                                | Deprecated npm wrapper                                                           |
   | -------------------------- | ------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
   | Hosted sign-in             | `transcodes.redirectToSignIn()`                                     | Do not generate                                                                  |
   | Sign-in callback           | Handled automatically during SDK bootstrap; then read `transcodes.token.*` | Do not generate                                                             |
   | Hosted member console      | `transcodes.redirectToConsole()`                                    | Do not generate                                                                  |
   | Hosted step-up MFA         | `await transcodes.redirectToStepUp({ resource, action })`           | Do not generate                                                                  |
   | Is authenticated?          | `await transcodes.token.isAuthenticated()`                          | Do not generate                                                                  |
   | Current member             | `await transcodes.token.getCurrentMember()`                         | Do not generate                                                                  |
   | Access token (for fetch)   | `await transcodes.token.getAccessToken()`                           | Do not generate                                                                  |
   | Sign out                   | `await transcodes.token.signOut()`                                  | Do not generate                                                                  |
   | Member lookup              | `await transcodes.member.get({ email })`                            | Do not generate                                                                  |
   | Subscribe to events        | `transcodes.on('TOKEN_EXPIRED', cb)`                                | Do not generate                                                                  |
   | Audit log                  | `await transcodes.trackUserAction({ tag, severity, status })`       | Do not generate                                                                  |
   | PWA install state          | `transcodes.isPwaInstalled()`                                       | Do not generate                                                                  |

   The typed `openAuthLoginModal`, `openAuthConsoleModal`, `openAuthIdpModal`, and `openAuthStepUpModal` compatibility methods are **deprecated for generated integrations** because the Lit/Web Component modal factories are excluded from the host SDK bundle. Do not generate direct `openAuth*` calls unless the current entry explicitly binds the corresponding modal factory.

   **Precedence rule:** This always-on directive overrides later topic sections. If a later section still shows `openAuth*` as the CDN/static default example, treat that example as legacy until its section-specific PR replaces it; do not copy it into final code.

   When generating any client-side example (handler, hook, context, button click, route guard, MFA-protected action…), generate the **left column form only**.

### 6. Troubleshooting Rule
- If you encounter a TypeScript error (`Cannot find name 'transcodes'`) or a `ReferenceError` (`transcodes is not defined`), **IMMEDIATELY consult the Troubleshooting section** at the bottom of this document.

### 7. Code Contract Rule
- **ALWAYS** wrap API invocations in a `try-catch` block.
- **ALWAYS** use `await` for async SDK methods (e.g., `isAuthenticated()`, `getCurrentMember()`, `redirectToStepUp()`).
- **ALWAYS** check `result.success` before reading `result.payload`.
- **ALWAYS** implement `isLoading` states during async calls.
- **For `redirectToStepUp`**, first check outer `ApiResponse.success`, then inspect `result.payload[0]?.decision` and `result.payload[0]?.status` before proceeding.
- **For `getCurrentMember` / `token.getCurrentMember()`**, the return type is `GetCurrentMemberResult` (`{ success, member, error? }`) — not `Member | null`. Branch on `success` before using `member`.
- **Verify step-up session server-side** through `GET https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sid}` with header `x-transcodes-token: <MEMBER_API_TOKEN>`.

</critical_rules>

### [Public Auth API Surface — do not invent methods]

Recommended hosted auth redirect APIs:
1. `redirectToSignIn(options?)` — redirect the host page to `auth.transcodes.io` sign-in
2. `handleSignInCallback()` — advanced/manual helper; CDN entry bootstrap already consumes returned sign-in `sid` and persists the SDK session
3. `redirectToConsole(options?)` — redirect to hosted member console
4. `redirectToStepUp({ resource, action, redirectUri?, comment? })` — RBAC gate + auth-host step-up tab + polling
5. `handleStepUpReturnPage()` — bootstrap the auth-host step-up return page

Typed modal compatibility APIs:
1. `openAuthLoginModal({ webhookNotification? })`
2. `openAuthConsoleModal()`
3. `openAuthIdpModal({ resource, action, forceStepUp?, webhookNotification? })`
4. `openAuthStepUpModal({ sid })`

Do not generate direct `openAuth*` calls in current published entry bundles unless you have verified the entry binds the matching modal factory (`createAuthLoginModal`, `createAuthConsoleModal`, `createIdpModal`, or `createStepUpModal`). Prefer the hosted redirect APIs above.

**Admin / org management (members, roles, resources, audit logs)** is **not** a browser modal and **not** a customer app backend — use the **Transcodes MCP server** (`@bigstrider/transcodes-mcp-server`) only from your AI tool’s config, or use the Console.

### [Quick Use Cases]
- `redirectToSignIn(options?)` + automatic callback bootstrap
  - Use when the user needs to sign in, onboard, or restore a session after expiry
- `redirectToConsole(options?)`
  - Use when the current member needs to register, remove, or change authentication methods such as passkey, authenticator, or TOTP
  - Use when the current member needs to update their own profile fields such as name or primary email
- `redirectToStepUp({ resource, action, redirectUri?, comment? })`
  - Use before truly sensitive, risky, or critical actions
  - Use when you must stop AI or automation from executing a dangerous action by itself
  - The action only proceeds after the user re-verifies identity with passkey, authenticator, or TOTP
- `trackUserAction(event, options?)`
  - Use when an action, behavior, or result must be recorded as an audit log
  - Use for compliance logging and for tracking both success and failure of important actions

Example literals in this section and later code blocks are examples only. Final implementations must use values confirmed by the user, codebase, or MCP.

### [Common Session Rule]
- `redirectToSignIn()` creates or restores a member session through hosted sign-in.
- `redirectToConsole()` and `redirectToStepUp()` should be treated as authenticated-only flows.
- `trackUserAction()` redirects to hosted sign-in by default when no session exists (`requireAuth` defaults to **`true`**).
- Pass `trackUserAction(..., { requireAuth: false })` to skip sign-in. Note: when unauthenticated the call then **no-ops** — the event is NOT logged anonymously.

### [Blocking Parameter Rule — ask before coding]
For these APIs, missing required business parameters are a **hard stop**:

- `redirectToStepUp({ resource, action })`
  - **The `resource` key MUST already exist in the project's Console RBAC at the moment the code runs.** Passing a key that is not in `get_resources` fails the request (typically `success: false` / empty payload), not a valid `decision: 'deny'`.
  - **Required resolution order — do not skip steps:**
    1. Call MCP `get_resources` and read the returned key list.
    2. If the desired key exists → use it as-is. Done.
    3. If the desired key is missing → **do not write code that uses it yet.** Pick one:
       - (a) Choose an existing key from step 1 that fits the protected action and confirm with the user, OR
       - (b) Ask the user for explicit approval to create the missing key, then use MCP `create_resource` (and set the role × resource × action cell in the permission matrix via MCP `set_role_permissions`), re-run `get_resources` to confirm it exists, THEN write code.
    4. If MCP is not available, ask the user one blocking question listing the existing keys so they pick one or explicitly create one in the Console. Do not output implementation code yet.
  - **Never** tell the user "create the `<key>` resource in the Console" as the last step of your answer while leaving the code referencing that not-yet-existing key. The client running the code has no way to know the key was never created — they will only see a failed request or `success: false` at runtime.
  - **Never** invent fallback values such as `{ resource: 'users', action: 'delete' }`, `{ resource: 'tool', ... }`, or any guess based on the function name, file name, or imagined Console structure. The only legitimate sources for `resource` are: (i) MCP `get_resources` output, (ii) a key the user explicitly approved and MCP just successfully created via `create_resource`, or (iii) an explicit string the user gave you.
  - `action` must be exactly one of `'create' | 'read' | 'update' | 'delete'`. Any other string is invalid.

Rule for documentation examples:
- Example values in this file are illustrative only.
- Do not copy example literals into final code unless the user, codebase, or MCP confirms them.

<!-- section:critical-directives:end -->

<!-- section:hallucination-guards:start -->
## Common Hallucinations (DO NOT INVENT)

The following APIs or usage patterns are invalid for generated client code. Some do not exist; some are typed compatibility methods that are not wired in current published entry bundles. Verified against backend `entry.static.ts`, `entry.static.pwa.ts`, `entry.dynamic.ts`, and `types.transcodes.ts`.

### Token / session
- `transcodes.token.refresh()` — does not exist. There is no public client refresh API. `transcodes.token.getAccessToken()` only reads a valid token from memory or IndexedDB credential; if it returns `null`, call `redirectToSignIn()` to re-authenticate.
- `transcodes.signOut()` — wrong namespace. Use `transcodes.token.signOut()`.

### Member / user data
- `transcodes.user.*` — wrong namespace. The public namespace is `transcodes.member.*`.
- `transcodes.member.update()` / `.create()` / `.delete()` / `.list()` — **not exposed in the client SDK**. The public `PublicMemberAPI` is read-only — only `member.get(params)` is available. For mutations, use the Transcodes MCP server (`update_member`, `create_member`, `retire_member`, `list_members_paginated`) or the Console.

### Auth flow
- `transcodes.auth.signIn()` / `transcodes.auth.signUp()` — there is no `auth` namespace. Use `redirectToSignIn()` for hosted sign-in; the CDN entry automatically consumes the returned `sid` during bootstrap.
- `transcodes.openAuthAdminModal()` — not exposed. Admin/org management is handled by the Console and the Transcodes MCP server, not a browser modal.

### Typed modal compatibility methods
- `transcodes.openAuthLoginModal(...)`, `transcodes.openAuthConsoleModal(...)`, `transcodes.openAuthIdpModal(...)`, and `transcodes.openAuthStepUpModal(...)` are typed for compatibility but not currently wired as host-callable modals in the published entry bundles. Do not generate direct calls unless the current entry binds the matching modal factory; use `redirectToSignIn(...)`, `redirectToConsole(...)`, or `redirectToStepUp(...)` instead.

### Init / config
- Calling `transcodes.init()` in the **CDN static** path — does nothing. `webworker.js` bootstraps the SDK automatically when the deferred `<script>` runs. `init({ projectId })` belongs only to the deprecated npm legacy path.
- `transcodes.setConfig({ projectId })` or any field other than `memberId` — silently ignored. Only `setConfig({ memberId })` is supported. Project ID is fixed at SDK build time.

### Real public surface (TranscodesBaseAPI)

Anything not in this list does not exist:
- `token` (`getCurrentMember`, `getAccessToken`, `hasToken`, `isAuthenticated`, `signOut`)
- `member` (`get` only — read-only)
- `on`, `off` (event subscription)
- `openAuthLoginModal`, `openAuthConsoleModal`, `openAuthIdpModal`
- `openAuthStepUpModal` (typed compatibility only; do not generate direct host calls in current entry bundles)
- `redirectToSignIn`, `handleSignInCallback`, `redirectToConsole`, `redirectToStepUp`, `handleStepUpReturnPage`
- `trackUserAction`
- `isPwaInstalled`

Static SDK adds: `showMessage`.
Dynamic SDK adds: `init`, `setConfig`, `isInitialized`, `getBuildInfo`.

If you need a method not listed here, it does not exist on the client SDK. Server-side mutations go through the MCP server or the Console.
<!-- section:hallucination-guards:end -->

<!-- section:placeholder-policy:start -->
### [Placeholder Resolution Policy — placeholders are REQUIRED inputs, not final values]
This document contains documentation placeholders such as:
- `RESOLVED_PROJECT_ID`
- `RESOLVED_JWT_ISSUER`
- `RESOLVED_MEMBER_API_TOKEN` — server-only JWT (a.k.a. Member API Token / MAT), issued from the Console; sent as header `x-transcodes-token` when calling Transcodes APIs from your backend. **Distinct from `TRANSCODES_TOKEN`** (the env var used only by the Transcodes MCP server).
- `RESOLVED_TRANSCODES_API_ORIGIN` — REST API host (default `https://api.transcodesapis.com`). Used in `connect-src` and for server-to-Transcodes fetches.
- `RESOLVED_TRANSCODES_AUTH_ORIGIN` — Hosted auth app origin (default `https://auth.transcodes.io`). Used as the browser navigation target for hosted sign-in / console and the auth-tab target for hosted step-up. It is **not** an iframe origin in the current hosted redirect flow.
- `RESOLVED_TRANSCODES_CDN_BASE` — CDN host serving `webworker.js`, `manifest.json`, `sw.js`, PWA icons. Differs per environment (prod / dev / stage). Resolve from the project's env (`NEXT_PUBLIC_TRANSCODES_CDN_BASE` or equivalent), Console, or MCP `get_project` response — **do not guess**. The Transcodes MCP server auto-substitutes this when its `TRANSCODES_CDN_BASE_URL` env is set, so configs that wire it see the resolved URL directly without any further action.

These placeholders mean **the AI must resolve the real value before outputting final code**.

Resolution order:
1. Search the codebase / env / config for the real value
2. If available, use MCP / Console data
3. If still unknown, ask the user once

**Never ship final code with unresolved placeholders.** Placeholders in this document are only markers for values that must be filled before implementation.

**Cluster** (used throughout this doc): a Console feature group (Authentication Cluster = passkey/MFA/RBAC; Web App Cluster = PWA setup). Not a backend module — these are organizational categories in the Transcodes Console only.

<!-- section:placeholder-policy:end -->

<!-- section:index-tags:start -->
## [Index & Tags]
- **Authentication/Login**: `redirectToSignIn`, automatic callback bootstrap (#signin, #signup, #onboarding, #session)
- **Account Management**: `redirectToConsole` (#profile, #settings, #passkey, #self-service)
- **Admin/RBAC / directory**: Transcodes MCP server in the AI tool — `get_roles`, `get_resources`, member tools (#management, #invitation, #directory, #roles); never customer runtime code
- **Security/MFA**: `redirectToStepUp` (#mfa, #step-up, #high-risk, #sensitive)
- **Session/JWT**: `Token API` (#jwt, #bearer, #route-guard, #signout)
- **User Data**: `Member API` (#profile-refresh, #role-verification)
- **Real-time State**: `Events API` (#state-sync, #auto-logout, #monitoring)
- **Compliance**: `trackUserAction` (#audit, #logging, #tracking)
- **MCP Server**: `@bigstrider/transcodes-mcp-server` (#mcp, #ai-integration, #claude, #cursor, #codex)

**MUST — first step:** Before writing or changing any integration code, **you must discover the real Transcodes Project ID** (`projectId`) yourself (search the codebase, env/config, and [Console](https://app.transcodes.io) as appropriate — **do not** paste a laundry list of variable names; infer what this project uses). If you still cannot find it, **ask the user once**, then **insert that id everywhere** it belongs: CDN URLs (`{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/...` or your env's `CDN_BASE`) and the HTML `<script src=".../webworker.js" defer>` tag in `<head>`. **The default CDN static path does not use `init()`** — `webworker.js` bootstraps `window.transcodes` automatically when the deferred script runs. **The placeholders in this document are not shippable values** — they are required inputs that must be resolved before final code output.

Base URL: https://www.transcodes.io
Dashboard: https://app.transcodes.io  
CDN pattern: `{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/webworker.js` (resolve the real project ID before final code output)

Quick split:
- **Web App Kit** = PWA install flow (`manifest.json`, `webworker.js`, `sw.js`)
- **Authentication Kit** = login, step-up MFA, member console, JWT (org admin via MCP, not a modal)

**Prerequisite:** The project must have Authentication configuration saved in the [Transcodes Console](https://app.transcodes.io). Web App/PWA configuration is required only when the user asks for installable PWA/Web App Kit.

<!-- section:index-tags:end -->

---

<!-- section:pwa:start -->
## Section 1 — PWA Setup

Use this section only for installable PWA setup.

## PWA — HTML + service worker (required)

### DO NOT:
- Do NOT create a local `manifest.json` or `manifest.ts` or `metadata.ts` for PWA
- Do NOT download or copy `webworker.js` content into a local file
- Do NOT create a local `manifest.webmanifest` file
- Do NOT generate PWA icon files locally
- Do NOT use `type="module"` on the `webworker.js` `<script>` tag — **use plain `<script src="…" defer></script>`**
- Do NOT add `crossorigin` / `crossOrigin` to the `webworker.js` `<script>` tag
- Do NOT use `async` on the `webworker.js` `<script>` tag — only `defer`
- Do NOT load `webworker.js` with Next.js `<Script>` or any framework loader — use a **native** `<script defer>` in `<head>`
- All PWA assets (`manifest.json`, `webworker.js`, icons) are hosted on Transcodes CDN and must be referenced by URL only

### Required wiring

The PWA install path needs **two tags in the HTML `<head>`** and **one `public/sw.js` file** at the site root. Nothing else. **The npm SDK package is NOT required** — CDN static is the default for both PWA and Auth.

**Use a native `<script defer>` tag** for `webworker.js` — not Next.js `<Script>`, not a framework loader. Same rule for React SPA (Vite/CRA) and Next.js: a real `<script src="…" defer></script>` in `<head>`. **No `type="module"`. No `crossorigin`.**

**CDN host:** `{RESOLVED_TRANSCODES_CDN_BASE}` varies per environment. The MCP server auto-substitutes when `TRANSCODES_CDN_BASE_URL` is set; otherwise resolve from the project's env (`NEXT_PUBLIC_TRANSCODES_CDN_BASE`) / Console — do not hardcode.

**TypeScript (CDN) — MANDATORY (3 strict steps):**
1. **Verify `transcodes.d.ts` exists** in the repo. If it is MISSING, create it now from `https://www.transcodes.io/instructions/types` (do not skip — the file will not appear by itself):
   ```bash
   mkdir -p types && curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
   ```
2. **Edit `tsconfig.json`** — add the directory to **both** `include` and `typeRoots`. **Without this edit, every `transcodes.*` call site is a TypeScript compile error** (`Cannot find name 'transcodes'`).
3. **Run `npx tsc --noEmit`** to confirm no type errors remain.

See **CDN TypeScript setup** for the full procedure and the exact `tsconfig.json` snippet. **Do not** call `init()` on the CDN static path.

#### React (Vite / CRA) / Vue.js

Add to `index.html` `<head>`, then create `public/sw.js`:
```html
<head>
  <link rel="manifest" href="{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/manifest.json" />
  <script src="{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/webworker.js" defer></script>
</head>
```

`public/sw.js` (entire file — one line):
```javascript
importScripts('{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/sw.js');
```

#### Next.js App Router

Use a **native `<script defer>` inside `<head>`** — do not use Next.js `next/script` for `webworker.js`. Do NOT create `metadata.ts`, `manifest.ts` files:
```tsx
export default function RootLayout({ children }: { children: React.ReactNode }) {
  const projectId = process.env.NEXT_PUBLIC_TRANSCODES_PROJECT_ID!;
  const cdnBase = process.env.NEXT_PUBLIC_TRANSCODES_CDN_BASE ?? '{RESOLVED_TRANSCODES_CDN_BASE}';
  return (
    <html lang="en" suppressHydrationWarning>
      <head>
        <link rel="manifest" href={`${cdnBase}/${projectId}/manifest.json`} />
        <script src={`${cdnBase}/${projectId}/webworker.js`} defer />
      </head>
      <body>{children}</body>
    </html>
  );
}
```

**Note:** The script tag is the same in HTML and JSX — plain `<script src="…" defer>`. **Never** add `type="module"`, `crossorigin`, or `crossOrigin`. Place the tag inside `<head>` in Next.js, React SPA, and every other framework.

`public/sw.js` (entire file — one line):
```javascript
importScripts('{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/sw.js');
```

#### All frameworks

- `sw.js` must be served at the URL path `/sw.js`. Place it in the static/public folder that your framework maps to the site root.
- Do NOT write service worker logic yourself — the single `importScripts` line is the entire file.
- Alternative: download `sw.js` from [Transcodes Console](https://app.transcodes.io) → PWA Setup → Installation Guide.



### PWA Setup — docs & Console panels

- [Installation Guide](https://www.transcodes.io/docs/web-app-cluster/installation-guide)
- [Configuration](https://www.transcodes.io/docs/web-app-cluster/configuration) — app name, short name, web domain URL, scope, service worker path, display mode, orientation, theme colors, shortcuts (long-press icon)
- [App Icons](https://www.transcodes.io/docs/web-app-cluster/app-icons) — upload base icon; manifest sizes generated automatically

### SDK note

`transcodes.isPwaInstalled()` (sync, CDN static global) reflects install state; **installability** still requires this Section 1 PWA HTML + `sw.js` wiring. In the deprecated npm fallback, import `isPwaInstalled()` only after the user explicitly opts into npm.

<!-- section:pwa:end -->

---

## MCP Server Integration

Connect the Transcodes MCP server to AI tools (Claude, Cursor, Codex) so the AI can inspect and manage your project's members, roles, resources, and audit logs while helping generate integration code.

**Runtime boundary:** the MCP server is not a customer application backend. Do not call `http://localhost:<port>/mcp`, `/mcp`, `tools/list`, or `tools/call` from browser code, Vue/React/Next code, app API routes, or production services. Customer apps integrate Transcodes through the CDN static SDK (`webworker.js` + `transcodes.d.ts`) and, when needed, server-side Transcodes REST calls with server-only API tokens.

## Setup

**Package:** `@bigstrider/transcodes-mcp-server` (runs via `npx`)

**Config JSON** (used by Claude Desktop and Cursor):
```json
{
  "mcpServers": {
    "transcodes": {
      "command": "npx",
      "args": ["-y", "@bigstrider/transcodes-mcp-server"],
      "env": {
        "TRANSCODES_TOKEN": "tc_live_..."
      }
    }
  }
}
```

| Tool | Config file path |
| :--- | :--- |
| Claude Desktop (macOS) | `~/Library/Application Support/Claude/claude_desktop_config.json` |
| Claude Desktop (Windows) | `%APPDATA%\Claude\claude_desktop_config.json` |
| Cursor | `~/.cursor/mcp.json` |
| Codex | `codex mcp add transcodes-mcp --env TRANSCODES_TOKEN=JWT_FORMAT... -- npx -y @bigstrider/transcodes-mcp-server` (or set `TRANSCODES_TOKEN` in the MCP UI) |

**Env:** `TRANSCODES_TOKEN` = Transcodes JWT token (`JWT_FORMAT...`) from the Console. **Project and member context are embedded in the token** — no separate API key / project ID / email variables for MCP. Keep this value only in the MCP host configuration; never put it in customer app code or frontend environment variables. After changing env, restart the MCP host app so the server reloads.

## What the MCP server can do

| Category | Actions |
| :--- | :--- |
| Members | List, create, update, suspend, unsuspend, change role |
| Roles | List, create, update, set per-resource permissions |
| Resources | List, create, update |
| Permissions | Simulate RBAC check (check_rbac_permission) |
| Audit Logs | Query by date range, tag, member |
| Passkeys / TOTP | List devices per member |
| Project | Get project details, membership status |

## Example prompt

After connecting, type a prompt like:

```
Implement login with magic link, passkey, and TOTP,
add step-up authentication for sensitive actions,
track and store user activity logs with details like
timestamp, IP, and user agent, and include a personal
console where users can manage their authentication
methods and review their activity history
```

Docs: [MCP Server Setup](https://www.transcodes.io/docs/mcp-server)

---

## Section 2 — Admin Authentication, Operations & Management

Everything below covers **authentication, tokens, hosted redirects, JWT verification, CSP, and passkey/WebAuthn** — what the Transcodes SDK provides to the customer app, with MCP available only as an AI-tool helper for setup and admin operations. For **PWA** (manifest + `sw.js`), use **Section 1**.

### Integration Option A — HTML / CDN

The Transcodes SDK and AI-assisted setup cover:
- Passkey-first login (Face ID, Touch ID, hardware keys)
- Step-up MFA for sensitive and high-risk actions
- Member management + RBAC through Console/MCP-managed project configuration
- Tamper-proof audit logs
- JWT issuance

## Migration Guide (Moving to Transcodes)

When a client wants to migrate an existing project and user base to Transcodes, follow this strict sequence. Transcodes is a passwordless, passkey-first system with strict RBAC, so legacy credentials cannot be imported.

### Phase 1: Console Setup
1. Go to the [Transcodes Console](https://app.transcodes.io).
2. Create and configure the **Authentication Cluster**. Also configure the **Web App Cluster/PWA settings** only if the migrated app needs installable PWA/Web App Kit.
3. Save all configurations to generate the Project ID.

### Phase 2: MCP Server Configuration
1. In the Console, generate the MCP token (env var name `TRANSCODES_TOKEN`). This is the token used by `@bigstrider/transcodes-mcp-server` — distinct from `MEMBER_API_TOKEN` used by your backend.
2. Configure your AI tool's MCP settings to use `@bigstrider/transcodes-mcp-server` with this token. This grants the tool the necessary permissions to run migration commands after any required step-up verification.

### Phase 3: Data Migration via MCP
Request the client's existing data (e.g., as CSV or JSON files).

**What to request:**
- `resources.csv` (key, name, description)
- `roles.csv` (name, description)
- `permissions.csv` (role_name, resource_key, action, value: 0=deny, 1=allow, 2=allow+step-up)
- `members.csv` (email, name, role, legacy_user_id)

**What NOT to migrate (DO NOT ASK FOR THESE):**
- Plaintext or hashed passwords (Transcodes is passwordless).
- JWTs or legacy session tokens.
- TOTP secrets or existing Passkey/WebAuthn credentials (they are cryptographically bound to the old domain/RP ID).
*Migration UX:* Existing users will log in via Magic Link (Email OTP) on their first visit and register a new Passkey. No passwords needed.

**Import Order (CRITICAL):**
You MUST execute MCP tools in this exact order. Reverse order causes "not found" errors.
1. `create_resource` for each resource.
2. `create_role` for each role.
3. `set_role_permissions` for each role. *(Note: This is a Verified Action requiring Step-up MFA. The admin approves it once on their device, and the resulting `sid` is valid for 10 minutes, allowing you to batch-process the rest).*
4. `create_member` for each user.
   - **Pro Tip:** Always map the client's old database ID to the `metadata` field (e.g., `metadata: { legacy_user_id: "12345" }`). This ensures the client's backend can still link the new Transcodes `member_id` to their existing records.

**Fallback Strategy (Missing or Incomplete Data):**
- **Only emails provided (no RBAC):** Ask for existing roles. If unknown, create a default role (`name: "member"`) and assign it to all users. Advise configuring permissions later in the Console.
- **No files at all (small migration):** Ask the client to paste their user list (emails/names) directly into the chat. Loop through the text using `create_member`.
- **No files at all (large migration):** Ask the client to run a simple SQL query (e.g., `SELECT email, name, role FROM users`) and provide the output as text or CSV.

---

## How It Works & Architecture

Core security model:
1. Device-held keys via WebAuthn / DPoP
2. Access tokens managed in browser memory
3. Credentials bound to your RP ID
4. Server verifies JWTs and step-up sessions

Docs: [How It Works](https://www.transcodes.io/docs/introduction/how-it-works) · [Architecture & Security](https://www.transcodes.io/docs/introduction/architecture)

### System Context: Disney World Authentication & Authorization Scenario

Scenario Overview:
James is a registered Member holding an annual pass to Disney World (Project), which is overseen by the Disney Corporate Office (Organization). Today, he visits the park and needs to authenticate himself to gain access.

1. Identity Verification (Authentication & Attestation)
James heads to the Ticket Booth (Transcodes Gateway) to receive his daily admission pass. To prove his membership status, he presents his Personal ID (Attestation Private Key) to the staff. The system securely verifies his identity by matching the ID against his pre-registered Member Profile (Public Key).

2. Ticket Issuance and Security (Token & AES Encryption)
Upon successful verification, the gateway issues James an Admission Ticket (Token). To ensure that the ticket cannot be intercepted, stolen, or duplicated by a malicious third party, it is secured with specialized Anti-Counterfeit Technology (AES Key).

3. Expiration and Revocation (Token Expiration Time)
If James's ticket reaches the end of its Validity Period (Token Expiration Time), or if his underlying membership is suddenly revoked while he is inside the park, the ticket is immediately invalidated on the spot. Simultaneously, any temporary verification data (Signature, Attestation) held by the park's system is permanently destroyed, and James is required to exit the premises.

Entity Mapping Table (For LLM Grounding):

| Transcodes Concept | Analogy | Description |
| :--- | :--- | :--- |
| Organization | Walt Disney Corporate | The governing entity |
| Project | Disney World | The specific service/environment |
| User | Disney World Facility Manager | System Admin |
| Member | James | The end-user holding an annual pass |
| Attestation Key | Personal ID | Proof of membership |
| Transcodes Gateway | Ticket Booth / Entrance Gate | The authenticator |
| Token | Admission Ticket | The access grant |
| AES Key | Anti-Counterfeit Technology | Encryption to prevent theft/tampering |
| Token Expiration Time | Ticket Validity Period | TTL for the session |

---

## Integration Methods (CDN-first)

**Default to Option A. Do not use Option B for new integrations.**

### Option A — HTML / CDN static (DEFAULT — REQUIRED unless explicitly told otherwise)

This is the **only** path you should generate by default. Add **one `<script defer>` to `<head>`** — Transcodes does not inject anything for you.

- **No `init()` call.** `webworker.js` bootstraps the SDK automatically; `projectId` is encoded in the CDN URL.
- **`<script>` attributes:** `src` + `defer`. **Nothing else.** No `type="module"`, no `crossorigin`, no `async`.
- **TypeScript is MANDATORY for CDN static.** Fetch `https://www.transcodes.io/instructions/types`, save as `transcodes.d.ts`, wire `tsconfig.json` — see **CDN TypeScript setup**. Without it, `window.transcodes` is untyped.

```html
<!-- Authentication only (passkeys + step-up MFA). For PWA, add the <link rel="manifest"> + sw.js per Section 1. -->
<head>
  <script src="{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/webworker.js" defer></script>
</head>
```

After the deferred script runs, all APIs are available via `window.transcodes` (or just `transcodes`).

**Why this is the default:** No bundler config, no `init()` race conditions, no SSR pitfalls, no extra dependency, single source of truth (the CDN URL), instant SDK updates without redeploying your app.

### Option B — npm SDK fallback — DEPRECATED / LEGACY ONLY

**Do not generate this path for new integrations.** The npm package is deprecated until the SDK is reintroduced after stabilization. If the user asks for npm, explain that CDN static is the supported path:

> "The npm SDK fallback is deprecated for new integrations. Use CDN static (`<script defer>` + `transcodes.d.ts`) until the SDK is reintroduced after stabilization."

Do not paste npm install, `init()`, or named-import examples into generated integrations. If the user explicitly opts out of CDN static, treat the npm path as a separate legacy exception: confirm the requirement, verify the currently published package API, and keep the generated code out of the CDN-static examples.

**CDN static (default) vs deprecated npm SDK fallback — naming map:**

The **left column is the only supported target for new integrations**. Do not generate code from the right column.

| Action                 | CDN static (DEFAULT — `transcodes` global)  | npm SDK fallback (DEPRECATED) |
| ---------------------- | ------------------------------------- | ------------------------ |
| Init                   | **Do not call `init()`** — not required | Do not generate |
| Hosted sign-in         | `transcodes.redirectToSignIn()`       | Do not generate |
| Is authenticated?      | `transcodes.token.isAuthenticated()`  | Do not generate |
| Get current member     | `transcodes.token.getCurrentMember()` → `GetCurrentMemberResult` | Do not generate |
| Get access token       | `transcodes.token.getAccessToken()`   | Do not generate |
| Sign out               | `transcodes.token.signOut()`          | Do not generate |
| Lookup member          | `transcodes.member.get({ email })`    | Do not generate |
| Subscribe to events    | `transcodes.on('EVENT', cb)`          | Do not generate |

---

## TranscodesInitOptions (deprecated npm legacy only)

```typescript
interface TranscodesInitOptions {
  projectId: string;      // Required — from Transcodes Console
  customUserId?: string;  // Optional — associate with your own user ID
  debug?: boolean;        // Optional — enable debug logging
}
```

---

## Dynamic SDK utility methods (CDN static)

```typescript
// Check if SDK is already initialized (avoid double-init)
transcodes.isInitialized(): boolean

// Update config at runtime (e.g. set memberId after login)
transcodes.setConfig({ memberId?: string }): void

// Build info for debugging
transcodes.getBuildInfo(): { buildTimestamp: string }
```

```javascript
// CDN path: do NOT call transcodes.init() — webworker.js initializes the SDK from the URL.
// Deprecated npm legacy path: do not generate for new integrations.

// Optional — link your own member ID after login (CDN or npm)
transcodes.setConfig({ memberId: 'your_internal_user_id' });
```

---

<!-- section:auth:start -->
## 1. Core API: Hosted Sign-in Redirect

### Usage
- Showing sign in / sign up through `auth.transcodes.io`
- Restoring session after expiry
- Guarding protected routes

### [Parameters]
`redirectToSignIn(options?)`

| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| projectId | string | N | Defaults to the project id encoded in the CDN script URL. |
| redirectUri | string | N | Host callback URL. Defaults to the current page URL without query/hash. Its origin must be allowed for sign-in. |
| browserUrl | string | N | Full auth-host URL from a pre-created sign-in session. Advanced use only. |

`handleSignInCallback()`

No parameters. Advanced/manual helper only. In the CDN static path, SDK bootstrap already consumes `?sid=...` through the query handler.

### [Agent Instructions: Implementation Logic]
- **Start sign-in**: call `transcodes.redirectToSignIn(options?)`. It creates a `tc_stepup_...` sign-in browser session and navigates to `auth.transcodes.io/?tc_mode=signin&sid=...`.
- **Finish sign-in**: on the host callback page, let the SDK bootstrap run. It automatically consumes `?sid=...`, exchanges it for the SDK JWT, stores the SDK session, and removes `sid` from the URL.
- **Completion Check**: after the deferred SDK script has run, call `await transcodes.token.isAuthenticated()` and `await transcodes.token.getCurrentMember()` to verify the session.
- **Token Extraction**: when needed for your backend, call `await transcodes.token.getAccessToken()` after authentication succeeds.
- **No modal path**: do not generate `openAuthLoginModal` or npm SDK code for new integrations. The Lit modal path and npm SDK fallback are deprecated until reintroduced after stabilization.

### [Implementation]

> **Calling syntax convention** — generate only the CDN static form. Access the SDK through the bare `transcodes` global (equivalent to `window.transcodes`; `transcodes.d.ts` types both). No imports.

#### Start sign-in

**CDN static (DEFAULT):**
```typescript
async function handleLogin() {
  let isLoading = true;
  try {
    transcodes.redirectToSignIn({
      redirectUri: `${window.location.origin}/auth/callback`,
    });
  } catch (err) {
    console.error('Login error:', err);
    isLoading = false;
  }
}
```

#### Host callback page

**CDN static (DEFAULT):**
```typescript
async function handleAuthCallback() {
  let isLoading = true;
  try {
    // The CDN entry already consumed ?sid=... during SDK bootstrap.
    const isAuth = await transcodes.token.isAuthenticated();

    if (!isAuth) {
      window.location.href = '/login?error=signin_failed';
      return;
    }

    const memberResult = await transcodes.token.getCurrentMember();
    if (!memberResult.success || !memberResult.member) {
      window.location.href = '/login?error=member_lookup_failed';
      return;
    }

    // Optional: token for calls to your own backend.
    const token = await transcodes.token.getAccessToken();
    const member = memberResult.member;
    // Update your app state with member data here.
    window.location.href = '/';
  } catch (err) {
    console.error('Sign-in callback failed:', err);
    window.location.href = '/login?error=signin_failed';
  } finally {
    isLoading = false;
  }
}
```

#### Login guard (auth-required route)

**CDN static (DEFAULT):**
```typescript
async function ensureAuthenticated() {
  try {
    const isAuth = await transcodes.token.isAuthenticated();
    if (isAuth) return true;

    transcodes.redirectToSignIn({
      redirectUri: `${window.location.origin}/auth/callback`,
    });
    return false;
  } catch (err) {
    console.error('Auth check failed:', err);
    return false;
  }
}
```

#### Re-auth on session expiry

**CDN static (DEFAULT):**
```typescript
transcodes.on('TOKEN_EXPIRED', async () => {
  try {
    transcodes.redirectToSignIn({
      redirectUri: `${window.location.origin}/auth/callback`,
    });
  } catch (err) {
    console.error('Re-auth failed:', err);
    window.location.href = '/login?reason=session_expired';
  }
});
```

### Server-side JWT Verification

When you create an Authentication Cluster in the Transcodes Console, you can download or copy a `public_key.json` file.
Place this key on your server to verify JWTs. The algorithm is `ES256` (ECDSA P-256).

`public_key.json` format:
```json
{
  "kty": "EC",
  "x": "V5UGkr1FKv3TGd1OO3lC9YDHfizkkpO0bOjQQLBr-wc",
  "y": "fqhfcdO6mgmZwoEuaIeVKCAr-sdEa4Ghyn1-ESvEl1g",
  "crv": "P-256",
  "alg": "ES256",
  "kid": "64aaaf01-65d0-4c22-9dcd-3c1f9b3acb7f"
}
```

**Option A — File-based:**
Save `public_key.json` to your server project and read it at startup.

```typescript
import * as jose from 'jose';
import fs from 'fs';

const jwk = JSON.parse(fs.readFileSync('./public_key.json', 'utf-8'));
const publicKey = await jose.importJWK(jwk, 'ES256');

async function verifyToken(token: string) {
  const { payload } = await jose.jwtVerify(token, publicKey);
  return payload;
}
```

**Option B — Env variable or inline:**
Embed the `public_key.json` contents in an environment variable or directly in code.

```typescript
import * as jose from 'jose';

const jwk = {
  kty: 'EC',
  x: 'V5UGkr1FKv3TGd1OO3lC9YDHfizkkpO0bOjQQLBr-wc',
  y: 'fqhfcdO6mgmZwoEuaIeVKCAr-sdEa4Ghyn1-ESvEl1g',
  crv: 'P-256',
  alg: 'ES256',
  kid: '64aaaf01-65d0-4c22-9dcd-3c1f9b3acb7f',
};
const publicKey = await jose.importJWK(jwk, 'ES256');

async function verifyToken(token: string) {
  const { payload } = await jose.jwtVerify(token, publicKey);
  return payload;
}
```

**Express middleware example:**
```typescript
async function authMiddleware(req, res, next) {
  const token = req.headers.authorization?.replace('Bearer ', '');
  if (!token) return res.status(401).json({ error: 'No token' });
  try {
    req.user = await verifyToken(token);
    next();
  } catch {
    return res.status(401).json({ error: 'Invalid token' });
  }
}

app.use('/api/', authMiddleware);
```

The public key is available for download or copy when creating an Authentication Cluster in the Console.
The JWK values above are samples — replace them with your project's actual key.

<!-- section:auth:end -->

---

<!-- section:console:start -->
## 2. Core API: redirectToConsole (Hosted Member Console)

### Usage
- Opening user settings / profile
- Managing passkeys and backup auth methods
- Letting members self-manage identity data

### [Parameters]
| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| organizationId | string | N | Optional override. By default this is decoded from the stored SDK JWT `oid` claim. |
| projectId | string | N | Optional override. By default this is decoded from the stored SDK JWT `pid` claim. |
| memberId | string | N | Optional override. By default this is decoded from the stored SDK JWT `sub` claim. |
| redirectUri | string | N | Host URL used for hosted console Back/cancel navigation. Defaults to the current page URL without query/hash. |
| comment | string | N | Optional note stored with the temporary console session. |
| browserUrl | string | N | Advanced: full browser URL returned by `POST .../console/session` or `POST .../step-up/session`. If supplied, the SDK redirects to it directly. |

### [Agent Instructions: Implementation Logic]
- **Auth Requirement**: Ensure the user is authenticated (`token.isAuthenticated() === true`) before calling `redirectToConsole()`.
- **If the user is not authenticated, call `redirectToSignIn()` and return.** Do not generate `openAuthLoginModal()` or `openAuthConsoleModal()` fallback code.
- `redirectToConsole(options?)` creates a temporary console browser session through `/auth/temp-session/console/session`, then performs a full-page redirect to the hosted auth app with `tc_mode=console`.
- `redirectToConsole()` requires an existing SDK session on the host origin. It reads the stored SDK access token, decodes `oid` / `pid` / `sub`, and uses those values unless options override them.
- This is not a modal. Do not wait for a "modal closed" result. Refresh app state only when the user navigates back or returns to the host route.

### [Implementation]

> **CDN static is the default and only supported generated form.** Do not generate npm SDK imports for this flow.

**CDN static (DEFAULT):**
```typescript
async function openSettings() {
  let isLoading = true;
  try {
    // auth guard
    const isAuth = await transcodes.token.isAuthenticated();
    if (!isAuth) {
      transcodes.redirectToSignIn({
        redirectUri: `${window.location.origin}/auth/callback`,
      });
      return;
    }

    transcodes.redirectToConsole({
      redirectUri: `${window.location.origin}/settings`,
    });
  } catch (err) {
    console.error('Console redirect error:', err);
    isLoading = false;
  }
}
```

**When the user returns to the host page:**
```typescript
async function refreshMemberAfterConsole() {
  let isLoading = true;
  try {
    const current = await transcodes.token.getCurrentMember();
    if (!current.success || !current.member?.email) {
      return;
    }

    const fresh = await transcodes.member.get({ email: current.member.email });
    if (!fresh.success) {
      return;
    }

    // Update your app state with fresh.payload[0]
  } catch (err) {
    console.error('Member refresh after console failed:', err);
  } finally {
    isLoading = false;
  }
}
```

**Advanced: server-created browser URL**
```typescript
function continueConsoleFromServer(browserUrl: string) {
  transcodes.redirectToConsole({ browserUrl });
}
```

<!-- section:console:end -->

<!-- section:step-up:start -->
## 3. Core API: redirectToStepUp (Hosted Step-up MFA)

### Usage
- Protecting sensitive operations
- Requiring MFA before action
- Enforcing RBAC + step-up on privileged flows

### [Parameters]
| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| resource | string | Y | Existing Console resource key only |
| action | 'create'\|'read'\|'update'\|'delete' | Y | 'create'\|'read'\|'update'\|'delete' |
| redirectUri | string | N | Host callback URL for the auth tab. Defaults to `${origin}/auth/stepup-callback`; use this path for automatic return-page handling. |
| comment | string | N | Optional note stored with the temporary step-up session and webhook notification. |

### [What are `role` and `resource`?]

#### RBAC meaning
- `resource` = Console RBAC resource key. Some Console setup paths create a `'system'` resource for platform-level permissions, but generated code must still verify the key with `get_resources` before using it. Custom keys must be created and verified through MCP/Console first.
- `action` = `create | read | update | delete`
- `role` = current member role resolved by the backend from the SDK access token
- `redirectToStepUp` sends only `resource` + `action`; `member_id` and `project_id` are extracted from the verified SDK JWT on the backend
- Permission levels:
  - `0` = deny
  - `1` = allow
  - `2` = allow + step-up required

#### RBAC example
```
Console RBAC setup:
  Role: admin
  Resource: system
    create → permission: 2  (allow + step-up required)
    read   → permission: 1  (allow, no step-up)
    update → permission: 1
    delete → permission: 2  (allow + step-up required)
```

Result:
- `admin × system × create = 2` → step-up required
- `admin × system × read = 1` → allowed without step-up
- On verified step-up, the client sends `sid` to its backend, and the backend verifies it before executing the sensitive action

**IMPORTANT:** `resource` must match a resource key created in the Console. Do not assume `system`, `users`, `billing`, or `reports` exists unless MCP `get_resources` confirms it for the current project. Passing an unknown resource key fails the request (typically `success: false` / empty payload from the SDK), not a valid `decision: 'deny'`. `forceStepUp` is not part of the hosted redirect API; use Console RBAC permission level `2` to require MFA.

### [Hosted step-up flow]
1. The host calls `await transcodes.redirectToStepUp({ resource, action, redirectUri?, comment? })` from a user gesture.
2. The SDK opens a placeholder tab synchronously, then calls `/auth/temp-session/step-up/redirect-session` with the SDK access token.
3. Backend RBAC returns one of:
   - `decision: 'deny'` — permission `0`, no redirect
   - `decision: 'allow'` — permission `1`, no redirect
   - `decision: 'stepup'` — permission `2`, pending `tc_stepup_...` sid and auth-host URL
   - unknown resource — request failure, not a `decision` result
4. For `stepup`, the auth tab navigates to `auth.transcodes.io/?tc_mode=stepup&sid=...`. The host polls the sid context until it becomes `verified` or `rejected`.
5. Step-up sessions use the `tc_stepup_` prefix, Redis TTL is 600 seconds, and status is `pending` / `verified` / `rejected`.
6. On `/auth/stepup-callback?sid=...`, the SDK bootstrap automatically runs the return-page handler and closes the auth tab after verification. Ensure the CDN SDK is loaded on that route; custom callback paths require custom handling.

### [Agent Instructions: Implementation Logic]
- **Mandatory Question**: Before generating code, STOP and ask: *"What is the `resource` key (defined in your Console RBAC) and what `action` are you protecting?"*
- **Auth Requirement**: Ensure the user is authenticated with an earlier route guard or app auth state before enabling the action. If `redirectToStepUp()` returns an auth failure, call `redirectToSignIn()` and return.
- **User Gesture Requirement**: Call `redirectToStepUp()` directly from a click/submit handler and do not await another SDK call before it. It opens a new tab before awaits to avoid popup blockers.
- **Success Check**: Check outer `result.success` before reading `result.payload[0]`. Then branch on `payload[0].decision`.
- **Decision Gate**: `deny` means stop; `allow` means no MFA sid is needed; `stepup` means proceed only when `payload[0].status === 'verified'` and `payload[0].sid` exists.
- **Backend Verification**: A verified `sid` must be sent to the user's own backend, which then calls the Transcodes API (`https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sid}`) with header `x-transcodes-token: <MEMBER_API_TOKEN>` (no separate API key; do not use `x-api-key`). Client-side `sid` alone is NOT sufficient.
- **MAT verification result**: Only `verified` sessions return 200. `pending` / `rejected` return 403, expired sessions return 404. Verify `resource` and `action` on your backend before executing the operation.
- **Caller binding**: The backend must bind the verified sid to the caller's SDK JWT. Match `project_id`, `member_id`, `resource`, `action`, and `status` before executing the sensitive action.
- **Step-up-required routes**: If the protected route is configured to require MFA, missing `stepUpSid` must return 403. If your backend also supports permission `1` allow paths, re-check RBAC server-side before deciding that sid is optional.
- **Audit Trail**: After a successful step-up operation, you SHOULD log the action with `trackUserAction` for compliance.
- **MCP First — and the resource MUST exist before code is shipped**: Always call MCP `get_resources` first.
  - If the key is in the returned list → use it.
  - If the key is missing → either (a) pick an existing key with the user's confirmation, or (b) ask the user for explicit approval to create it via MCP `create_resource` + `set_role_permissions`, then re-verify with `get_resources` BEFORE writing the `redirectToStepUp({ resource })` line. Telling the user "go to the Console and create `<key>`" is **not** an acceptable substitute for this — that loop has to close before the code is delivered, otherwise the client will hit a request failure at runtime.
- **Blocking Rule**: If `resource` or `action` is still unknown after the steps above, output only the clarifying question and stop. Do not generate placeholder code, pseudo-code, or guessed defaults (e.g. `'tool'`, `'users'`, `'admin'` invented from context).

### [Implementation]

This is the canonical hosted step-up MFA pattern. Every step is mandatory.

> **CDN static is the default and only supported generated form.** Do not generate npm SDK, `openAuthIdpModal`, or `openAuthStepUpModal` calls for new host integrations.

**Client-side (browser) — CDN static (DEFAULT):**
```typescript
async function protectedSystemAction(recordId: string) {
  let isLoading = true;
  const resource = 'system'; // example only; use a key confirmed by get_resources
  const action = 'delete';   // route-owned protected operation

  try {
    // STEP 1: RBAC gate + hosted step-up when permission level is 2
    // This should be the first SDK call in the user click handler.
    const gate = await transcodes.redirectToStepUp({
      resource,
      action,
      redirectUri: `${window.location.origin}/auth/stepup-callback`,
      comment: `Delete system record ${recordId}`,
    });

    if (!gate.success || !gate.payload[0]) {
      if (gate.error === 'Authentication failed') {
        transcodes.redirectToSignIn({
          redirectUri: `${window.location.origin}/auth/callback`,
        });
        return;
      }

      await transcodes.trackUserAction({
        tag: 'system:delete',
        severity: 'high',
        status: false,
        error: gate.error || 'Step-up failed',
        metadata: { recordId, resource, action },
      });
      return;
    }

    const decision = gate.payload[0];
    if (decision.decision === 'deny') {
      await transcodes.trackUserAction({
        tag: 'system:delete',
        severity: 'high',
        status: false,
        error: 'RBAC denied',
        metadata: { recordId, resource, action },
      });
      return;
    }

    if (decision.decision === 'allow') {
      await transcodes.trackUserAction({
        tag: 'system:delete',
        severity: 'high',
        status: false,
        error: 'Step-up was not required by RBAC; expected permission level 2',
        metadata: { recordId, resource, action },
      });
      return;
    }

    let stepUpSid: string | undefined;
    if (decision.decision === 'stepup') {
      if (decision.status !== 'verified' || !decision.sid) {
        await transcodes.trackUserAction({
          tag: 'system:delete',
          severity: 'high',
          status: false,
          error: 'Step-up was not verified',
          metadata: { recordId, resource, action },
        });
        return;
      }
      stepUpSid = decision.sid;
    }

    // STEP 2: Send SDK JWT + verified sid to YOUR backend
    const token = await transcodes.token.getAccessToken();
    if (!token) throw new Error('Missing SDK access token');

    const response = await fetch(`/api/system-records/${recordId}`, {
      method: 'DELETE',
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ stepUpSid }),
    });

    if (!response.ok) throw new Error('Sensitive action failed');

    // STEP 3: Audit log on success
    await transcodes.trackUserAction({
      tag: 'system:delete',
      severity: 'high',
      status: true,
      metadata: { recordId, resource, action },
    });
  } catch (err) {
    // STEP 4: Error handling + audit log on failure
    console.error('Step-up action failed:', err);
    await transcodes.trackUserAction({
      tag: 'system:delete',
      severity: 'high',
      status: false,
      error: (err as Error).message,
      metadata: { recordId, resource, action },
    });
  } finally {
    isLoading = false;
  }
}
```

**Server-side (your backend) — verify the step-up sid against Transcodes API:**

The Member API Token below (`MEMBER_API_TOKEN`) is a JWT issued from the Transcodes Console for **server-to-Transcodes** calls — a different value from `TRANSCODES_TOKEN` used for the MCP server. Store it as a secret on the backend (env var name `TRANSCODES_MEMBER_API_TOKEN`).

```typescript
// Backend verification example (Next.js Route Handler shape)
import * as jose from 'jose';
import { NextResponse } from 'next/server';

const MEMBER_API_TOKEN = process.env.TRANSCODES_MEMBER_API_TOKEN!; // server-only secret JWT
const SDK_PUBLIC_JWK = JSON.parse(process.env.TRANSCODES_PUBLIC_JWK!);
const SDK_PUBLIC_KEY = await jose.importJWK(SDK_PUBLIC_JWK, 'ES256');
const EXPECTED_RESOURCE = 'system'; // route-owned value confirmed in MCP/Console
const EXPECTED_ACTION = 'delete';

interface VerifiedCaller {
  projectId: string;
  memberId: string;
}

async function verifyCallerJwt(req: Request): Promise<VerifiedCaller> {
  const token = req.headers.get('authorization')?.replace(/^Bearer\s+/i, '');
  if (!token) throw new Error('Missing Authorization bearer token');

  const { payload } = await jose.jwtVerify(token, SDK_PUBLIC_KEY);
  const projectId = String(payload.pid || '');
  const memberId = String(payload.sub || '');
  if (!projectId || !memberId) {
    throw new Error('Invalid SDK JWT identity claims');
  }

  return { projectId, memberId };
}

async function verifyStepUpSid(stepUpSid: string, expected: {
  projectId: string;
  memberId: string;
  resource: string;
  action: string;
}) {
  const response = await fetch(
    `https://api.transcodesapis.com/v1/auth/temp-session/step-up/${stepUpSid}`,
    {
      headers: {
        'x-transcodes-token': MEMBER_API_TOKEN,
      },
    },
  );

  if (!response.ok) {
    throw new Error(`Step-up verification failed: ${response.status}`);
  }

  const data = await response.json();
  const session = data.payload?.[0];
  if (
    session?.status !== 'verified' ||
    session.project_id !== expected.projectId ||
    session.member_id !== expected.memberId ||
    session.resource !== expected.resource ||
    session.action !== expected.action
  ) {
    throw new Error('Step-up session does not match the requested action');
  }
}

export async function POST(req: Request) {
  const { stepUpSid } = await req.json();
  const caller = await verifyCallerJwt(req);

  // This route requires permission level 2 (allow + step-up).
  if (!stepUpSid) {
    return NextResponse.json(
      { error: 'Step-up verification required' },
      { status: 403 },
    );
  }

  await verifyStepUpSid(stepUpSid, {
    projectId: caller.projectId,
    memberId: caller.memberId,
    resource: EXPECTED_RESOURCE,
    action: EXPECTED_ACTION,
  });

  // ...proceed only after normal authorization and step-up verification
  return NextResponse.json({ ok: true });
}
```

Example verified response (logged):
```json
{
  "logId": "01KPP893GSV54TKVST53MV7BB1",
  "success": true,
  "statusCode": 200,
  "payload": [
    {
      "project_id": "ca3da7ff8dd4391d8d80ad01",
      "member_id": "ca3db8488dd4391d8d80ad04",
      "action": "delete",
      "role": "admin",
      "resource": "system",
      "status": "verified"
    }
  ],
  "error": null
}
```

```
Step-up verification endpoint:
  URL:    https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sessionId}
  Method: GET
  Header: x-transcodes-token: <MEMBER_API_TOKEN>
  Response: 200 = verified session (payload contains project_id, member_id, action, role, resource, status)
            403 = pending / rejected
            404 = expired / not found
```

```typescript
// Canonical step-up call shape — CDN static (DEFAULT)
const result = await transcodes.redirectToStepUp({
  resource: resolvedResource,
  action: resolvedAction,
  redirectUri: `${window.location.origin}/auth/stepup-callback`,
});
```

Full `StepUpRedirectResult` type reference:
```typescript
type StepUpDecision = 'deny' | 'allow' | 'stepup';
type StepUpStatus = 'verified' | 'rejected';

interface StepUpRedirectResult {
  decision: StepUpDecision;
  resource: string;
  action: string;
  sid?: string;       // present when decision === 'stepup'
  url?: string;       // auth-host URL, internal to SDK flow
  expiresAt?: string; // session expiry timestamp when provided
  status?: StepUpStatus; // set after polling completes for decision === 'stepup'
}
// Returned as ApiResponse<StepUpRedirectResult[]>
// Runtime gate: check outer ApiResponse.success first, then inspect result.payload[0]?.decision/status
```

// Permission matrix (set per role × resource × action in Console):
//   0 = deny   1 = allow (no step-up)   2 = allow + step-up required
// redirectToStepUp lets the backend read the current member's role and check this matrix.

<!-- section:step-up:end -->

---

<!-- section:token:start -->
## 4. Core API: Token API (Session Management)

### Usage
- Sending JWT to your backend
- Guarding protected routes
- Reading current member profile using JWT identity
- Signing out

### [Methods]
| Method | Returns | Note |
| :--- | :--- | :--- |
| `getCurrentMember()` | `Promise<GetCurrentMemberResult>` | Fetches the latest current member profile from the server using JWT `sub` + `pid`. On failure `member` is null and `error` is a `GetCurrentMemberFailureReason`. |
| `getAccessToken()` | `Promise<string \| null>` | Returns a valid JWT from memory or IndexedDB credential. Does not issue or refresh tokens; returns null when missing or expired. |
| `hasToken()` | `boolean` | Sync check if a valid token exists in memory. |
| `isAuthenticated()` | `Promise<boolean>` | Async validity check across memory and IndexedDB credential. Does not issue or refresh tokens. |
| `signOut(options?)` | `Promise<void>` | Clears session. `options.webhookNotification?: boolean` |

### [Agent Instructions: Implementation Logic]
- **getCurrentMember**: Always read `const r = await getCurrentMember()` then branch on `r.success` before using `r.member`. Do not treat the return value as `Member | null`.
- **Header Injection**: When making fetch calls to a backend, use `await getAccessToken()` to read the current stored token. If it returns `null`, redirect to sign-in; do not generate a fake refresh flow.
- **isAuthenticated vs hasToken**: Use `hasToken()` for fast UI rendering decisions. Use `isAuthenticated()` for security-critical decisions (it verifies token validity, not just existence).
- **NEVER use `isAuthenticated()` without `await`** — it returns a Promise, which is always truthy. This is the #1 most common bug.
- **Revocation**: If `getCurrentMember()` returns `{ success: false, error: 'revoked' }`, the SDK has already cleared the local session and emitted `MEMBER_REVOKED`.

### [Implementation]

> **CDN static is the default and only supported generated form.** Token API lives on `transcodes.token.*`. Do not generate npm SDK imports.

**Authorized Fetch Wrapper — use this for ALL backend API calls.**

```typescript
async function authorizedFetch(url: string, options: RequestInit = {}) {
  const token = await transcodes.token.getAccessToken();
  if (!token) {
    transcodes.redirectToSignIn({
      redirectUri: `${window.location.origin}/auth/callback`,
    });
    throw new Error('Not authenticated');
  }
  return fetch(url, {
    ...options,
    headers: { ...options.headers, Authorization: `Bearer ${token}` },
  });
}
```

**Route Guard — use `isAuthenticated()` (async) for security decisions.**

```typescript
async function requireAuthRoute() {
  try {
    const isAuth = await transcodes.token.isAuthenticated();
    if (!isAuth) {
      transcodes.redirectToSignIn({
        redirectUri: `${window.location.origin}/auth/callback`,
      });
      return false;
    }
    return true;
  } catch (err) {
    console.error('Auth route guard failed:', err);
    return false;
  }
}
```

**UI Rendering — use `hasToken()` (sync) for non-security UI toggle.**

```typescript
if (transcodes.token.hasToken()) {
  showDashboard();
} else {
  showLandingPage();
}
```

**Sign Out.**

```typescript
try {
  await transcodes.token.signOut();
  window.location.href = '/';
} catch (err) {
  console.error('Sign out failed:', err);
}
```

**Get Current User.**

```typescript
async function loadCurrentMember() {
  try {
    const r = await transcodes.token.getCurrentMember();
    if (r.success && r.member) {
      const { member } = r;
      console.log(`${member.name} (${member.email}) - role: ${member.role}`);
      return member;
    }
    if (r.error === 'revoked') {
      window.location.href = '/login?reason=member_revoked';
      return null;
    }
    return null;
  } catch (err) {
    console.error('Current member lookup failed:', err);
    return null;
  }
}
```

<!-- section:token:end -->

---

<!-- section:member:start -->
## 5. Core API: Member API (User Data)

### Usage
- Refreshing profile after console changes
- Re-checking the latest role from the API
- Looking up a member by email or ID

### [Parameters]
| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| projectId | string | N | Optional if inferred. |
| memberId | string | N | Specific member ID to fetch. |
| email | string | N | Specific email to fetch. |
| fields | string | N | Comma-separated field names to return. |

### [Implementation]

> **CDN static is the default and only supported generated form.** Member API lives on `transcodes.member.*` (CDN namespace: `member.get`). Do not generate npm SDK imports.

**Member lookup by email.**

```typescript
async function lookupMember(email: string) {
  try {
    const res = await transcodes.member.get({ email });

    // check success AND payload length
    if (!res.success || !res.payload?.length) {
      console.log('Member not found or request failed');
      return null;
    }

    return res.payload[0]; // { id, email, role, name, ... }
  } catch (err) {
    console.error('Member lookup failed:', err);
    return null;
  }
}
```

**Get fresh role after a change** — for the current signed-in member, `token.getCurrentMember()` already fetches the latest server profile using JWT identity claims. Use `member.get()` when you need to look up another member by email or ID.

```typescript
async function loadCurrentRole() {
  try {
    const current = await transcodes.token.getCurrentMember();
    if (current.success && current.member) {
      return current.member.role;
    }
    return null;
  } catch (err) {
    console.error('Current role lookup failed:', err);
    return null;
  }
}
```

<!-- section:member:end -->

---

<!-- section:events:start -->
## 6. Core API: Events API (Real-time State)

### Usage
- Syncing auth state into app state
- Handling token expiry
- Monitoring SDK errors

### [Events]
| Event | Payload | Note |
| :--- | :--- | :--- |
| `AUTH_STATE_CHANGED` | `{ isAuthenticated, accessToken, expiresAt, member }` | Fired on login, logout, restore. |
| `TOKEN_REFRESHED` | `{ accessToken, expiresAt }` | Fired when the SDK sets or loads a valid JWT into memory. |
| `TOKEN_EXPIRED` | `{ expiredAt }` | Fired when the SDK observes the active JWT has expired. |
| `ERROR` | `{ code, message, context? }` | Fired on background errors. |
| `MEMBER_REVOKED` | `{ message, reason: 'member_revoked' }` | Fired when the server reports the current member has been suspended/revoked by an admin. The SDK has already cleared the local session by the time this fires. UIs should redirect to the sign-in screen or show a "your account is suspended" notice. |

### [Implementation]

> **CDN static is the default and only supported generated form.** Events API lives on `transcodes.on(...)` / `transcodes.off(...)`. Do not generate npm SDK imports.

**Always store and call the unsubscribe function on cleanup.** Failing to unsubscribe causes memory leaks and duplicate event handlers.

**Subscribe with proper cleanup (React example).**

```typescript
useEffect(() => {
  const unsub = transcodes.on('AUTH_STATE_CHANGED', (payload) => {
    if (payload.isAuthenticated) {
      setUser(payload.member);
    } else {
      setUser(null);
    }
  });

  // unsubscribe on unmount
  return () => unsub();
}, []);
```

**Auto-re-auth on token expiry with error handling.**

```typescript
const unsub = transcodes.on('TOKEN_EXPIRED', () => {
  try {
    transcodes.redirectToSignIn({
      redirectUri: `${window.location.origin}/auth/callback`,
    });
  } catch (err) {
    console.error('Re-auth failed:', err);
    window.location.href = '/login?reason=session_expired';
  }
});
```

**Error monitoring — send to your observability service.**

```typescript
const unsub = transcodes.on('ERROR', ({ code, message, context }) => {
  console.error(`Transcodes Error [${code}]: ${message}`, context);
  // e.g. Sentry.captureException(new Error(message));
});
```

**Member suspension / revocation — kick the user back to sign-in.**

Subscribe to `MEMBER_REVOKED` so an admin-side suspension immediately reflects in the UI. By the time this fires the SDK has **already cleared** the local session — your handler only needs to display the message and route the user out (no manual `signOut()` call required).

```typescript
const unsub = transcodes.on('MEMBER_REVOKED', ({ message, reason }) => {
  // reason === 'member_revoked'
  alert(message); // or a toast / banner with the user-facing message
  window.location.href = '/login?reason=member_revoked';
});
```

The valid event names are: `'AUTH_STATE_CHANGED'` | `'TOKEN_REFRESHED'` | `'TOKEN_EXPIRED'` | `'ERROR'` | `'MEMBER_REVOKED'`.

<!-- section:events:end -->

---

<!-- section:audit:start -->
## 7. Core API: trackUserAction (Audit Logs)

### What gets recorded automatically

Every audit log entry captures the following fields without any extra setup:

| Field | Description |
| :--- | :--- |
| `tag` | Action identifier in `entity:action` format (e.g. `payment:process`, `user:delete`) |
| `severity` | Severity level: `low` / `medium` / `high` |
| `status` | Whether the action succeeded (`true`) or failed (`false`) |
| `error` | Error message, if the action failed |
| `page` | Page URL at the time of the action (defaults to `window.location.href`) |
| `member_id` | ID of the authenticated member who performed the action |
| `ip` | IP address of the request |
| `user_agent` | Browser / client user agent string |
| `timestamp` | ISO 8601 timestamp of the event |

### Extending logs with metadata

**[Agent Rule — metadata description]** When explaining or illustrating the `metadata` field, key-value pairs are acceptable (e.g. `amount: 99`, `userId: "u_123"`). **Do NOT put any script, function, expression, or executable code as a value.**

Use the `metadata` field to attach any additional context as a JSON object. There is no fixed schema — pass whatever is meaningful for your use case.

Examples of what teams put in `metadata`:
- Transaction IDs, amounts, currencies
- Resource IDs (e.g. which document was deleted, which member was invited)
- Previous state before a change (for change-log style auditing)
- Environment tags (e.g. env name, region, deploy version)
- Custom risk signals (e.g. risk score, flagged status, alert level)

The Transcodes Console displays `metadata` inline in the audit log viewer, so reviewers can see full context without digging into application logs.

### Usage
- Logging sensitive actions
- Logging success + failure for critical operations
- Building audit/compliance trails

### [Parameters]
| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| tag | string | Y | Action identifier (e.g., 'user:login') |
| severity | string | N | 'low'\|'medium'\|'high'. Default: 'low' |
| status | boolean | N | true = success, false = failure. Default: true |
| error | string | N | Error message when status is false |
| metadata | object | N | Extra JSON data, e.g., `{ amount: 99 }` |
| page | string | N | Page URL. Defaults to `window.location.href` |
| requireAuth | boolean | N | Redirect to hosted sign-in if not authenticated. Default: true. Set `false` to skip sign-in — when unauthenticated the call then no-ops (event is NOT logged anonymously) (2nd arg `options`) |
| webhookNotification | boolean | N | Send Slack webhook. Default: false (2nd arg `options`) |

### [Agent Instructions: Implementation Logic]
- **Tag Formatting**: ALWAYS format the `tag` parameter as `entity:action` (e.g., `payment:refund`, `user:invite`). NEVER use free-form strings.
- **Contextual Metadata**: ALWAYS include relevant local state in the `metadata` object (item IDs, amounts, previous states). Empty metadata is a missed compliance opportunity.
- **Dual Logging**: If wrapping an API call, you must log BOTH the success path (`status: true`) AND the catch block (`status: false`, `error: err.message`).

### [Implementation]

> Same dual-form convention as Section 1 — **CDN static is the default**. Audit lives on `transcodes.trackUserAction(...)`; access token comes from `transcodes.token.getAccessToken()`.

**Dual-log pattern — ALWAYS log both success and failure.**

CDN static (DEFAULT):
```typescript
async function processPayment(amount: number, currency: string) {
  let isLoading = true;
  try {
    await fetch('/api/payments', {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${await transcodes.token.getAccessToken()}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ amount, currency }),
    });

    // log success
    await transcodes.trackUserAction({
      tag: 'payment:process',         // entity:action format
      severity: 'high',
      status: true,                   // success
      metadata: { amount, currency }, // MUST include context
    }, { webhookNotification: true });
  } catch (err) {
    // MANDATORY: log failure — never skip this
    await transcodes.trackUserAction({
      tag: 'payment:process',         // same tag as success
      severity: 'high',
      status: false,                  // failure
      error: (err as Error).message,
      metadata: { amount, currency },
    }, { webhookNotification: true });
  } finally {
    isLoading = false;
  }
}
```

No npm fallback audit snippet is provided because the npm SDK fallback is deprecated for generated integrations. Use the CDN static `transcodes.trackUserAction(...)` example above unless the user explicitly confirms a legacy npm requirement.

Use `entity:action` tags such as `payment:process`, `user:delete`, `member:role-change`. Always log both success and failure paths for sensitive operations.

<!-- section:audit:end -->

---

<!-- section:types:start -->
## Type Definitions

```typescript
// --- Core Types ---

interface Member {
  id?: string;
  projectId?: string;
  name?: string;
  email?: string;
  role?: string;
  metadata?: Record<string, string | number | boolean | null | undefined>;
  createdAt?: Date | string;
  updatedAt?: Date | string;
}

interface AuthResult {
  token: string;   // JWT access token
  member: Member;
}

interface ApiResponse<T> {
  success: boolean;
  payload: T;
  error?: string;
  message?: string;
  status?: number;
}

// --- Init ---

interface TranscodesInitOptions {
  projectId: string;       // Required — from Transcodes Console
  customUserId?: string;   // Optional — associate with your own user ID
  debug?: boolean;         // Optional — enable debug logging
}

interface TranscodesBuildInfo {
  buildTimestamp: string;   // ISO timestamp when SDK bundle was built
}

// --- Hosted Redirect APIs (recommended) ---

interface RedirectToSignInOptions {
  projectId?: string;
  redirectUri?: string;
  /** Full URL returned by the backend sign-in session endpoint. */
  browserUrl?: string;
}

interface RedirectToConsoleOptions {
  organizationId?: string;
  projectId?: string;
  memberId?: string;
  redirectUri?: string;
  comment?: string;
  /** Full URL returned by the backend console session endpoint. */
  browserUrl?: string;
}

interface RedirectToStepUpOptions {
  resource: string;
  action: 'create' | 'read' | 'update' | 'delete';
  /** Registered redirect origin; defaults to the current page origin. */
  redirectUri?: string;
  comment?: string;
}

type StepUpDecision = 'deny' | 'allow' | 'stepup';
type StepUpStatus = 'verified' | 'rejected';

interface StepUpRedirectResult {
  decision: StepUpDecision;
  resource: string;
  action: string;
  sid?: string;
  url?: string;
  expiresAt?: string;
  /** Present when decision === 'stepup' and polling completed. */
  status?: StepUpStatus;
}

// redirectToSignIn(options?)      → void
// handleSignInCallback()         → Promise<ApiResponse<AuthResult[]>>
// redirectToConsole(options?)    → void
// redirectToStepUp(options)      → Promise<ApiResponse<StepUpRedirectResult[]>>
// handleStepUpReturnPage()       → void

// --- Legacy modal compatibility types ---
// Do not use these for new generated integrations unless the user explicitly
// asks to maintain an existing legacy modal integration.

interface IdpOpenParams {
  resource: string;                              // Resource key from Console RBAC
  action: 'create' | 'read' | 'update' | 'delete';
  forceStepUp?: boolean;                         // Force step-up regardless of permission level
  webhookNotification?: boolean;                 // Send Slack webhook on result
}

interface IdpAuthResponse {
  success: boolean;   // step-up result inside the payload item
  sid?: string;       // Step-up session ID (present on success)
  error?: string;     // Error message (present on failure)
  timestamp: number;  // Unix timestamp (ms)
  action?: string;    // The requested action
}

// --- Legacy Modal Return Types ---
// openAuthLoginModal(params)  → Promise<ApiResponse<AuthResult[]>>
// openAuthConsoleModal(params?) → Promise<ApiResponse<null>>
// openAuthIdpModal(params)    → Promise<ApiResponse<IdpAuthResponse[]>>

// --- Token API ---

// Matches public/transcodes.d.ts for the CDN static window API.
export enum GetCurrentMemberFailureReason {
  // If member is not authenticated, the error is 'unauthenticated'
  UNAUTHENTICATED = 'unauthenticated',
  // If member is not found, the error is 'not_found'
  NOT_FOUND = 'not_found',
  // If member is revoked, the error is 'revoked'
  REVOKED = 'revoked',
  // If member is transient network error, the error is 'transient'
  TRANSIENT = 'transient',
  // If member is other error, the error is 'error'
  ERROR = 'error',
}

export interface GetCurrentMemberResult {
  success: boolean;
  member: Member | null;
  error?: GetCurrentMemberFailureReason;
}

interface TokenAPI {
  getCurrentMember(): Promise<GetCurrentMemberResult>;
  getAccessToken(): Promise<string | null>;
  hasToken(): boolean;                                    // SYNC
  isAuthenticated(): Promise<boolean>;                    // ASYNC — always use await
  signOut(options?: { webhookNotification?: boolean }): Promise<void>;
}

// --- Member API ---

interface PublicMemberAPI {
  get(params: {
    projectId?: string;
    memberId?: string;
    email?: string;
    fields?: string;         // comma-separated field names
  }): Promise<ApiResponse<Member[]>>;
}

// --- Audit Log ---

// trackUserAction(event, options?) → Promise<void>
// event:
//   tag: string              — required, entity:action format (e.g. 'payment:process')
//   severity?: 'low' | 'medium' | 'high'   — default: 'low'
//   status?: boolean         — default: true (true = success, false = failure)
//   error?: string           — error message when status is false
//   metadata?: Record<string, unknown>      — extra context
//   page?: string            — page URL (defaults to window.location.href)
// options:
//   requireAuth?: boolean    — redirect to hosted sign-in if not authenticated (default: true; set false → no-op when unauthenticated)
//   webhookNotification?: boolean — send Slack webhook (default: false)

// --- Events ---

type TranscodesEventName =
  | 'AUTH_STATE_CHANGED'
  | 'TOKEN_REFRESHED'
  | 'TOKEN_EXPIRED'
  | 'ERROR'
  | 'MEMBER_REVOKED';

interface AuthStateChangedPayload {
  isAuthenticated: boolean;
  accessToken: string | null;
  expiresAt: number | null;
  member: Member | null;
}

interface TokenRefreshedPayload {
  accessToken: string;
  expiresAt: number;
}

interface TokenExpiredPayload {
  expiredAt: number;
}

interface MemberRevokedPayload {
  /** User-facing message to display */
  message: string;
  /** Machine-readable reason for programmatic handling */
  reason: 'member_revoked';
}

interface ErrorPayload {
  code: string;
  message: string;
  context?: string;
}

// on<T>(event: TranscodesEventName, callback: (payload) => void): () => void  — returns unsubscribe fn
// off<T>(event: TranscodesEventName, callback): void
```

<!-- section:types:end -->

---

## Framework setup (quick reference)

**CDN static is the default for every framework.** Use a native `<script src="…" defer></script>` in `<head>`. Don't use `type="module"`. Don't use `crossorigin`. Don't use `next/script`. Don't install the npm SDK package unless the user explicitly requests the npm fallback.

### React + Vite — CDN static (DEFAULT)

> **Access pattern:** Vite is CSR-only — bare `transcodes.*` and explicit `window.transcodes.*` are equivalent. Use the bare form everywhere for brevity. See **Framework-specific access pattern** below.

Put the script in **`index.html` `<head>`** (native `<script defer>`, not a React component):

```html
<head>
  <script src="{RESOLVED_TRANSCODES_CDN_BASE}/%VITE_TRANSCODES_PROJECT_ID%/webworker.js" defer></script>
</head>
```

```bash
# .env
VITE_TRANSCODES_PROJECT_ID=proj_abc123xyz
```

**Then complete the TypeScript wiring (mandatory — skipping this is a compile error):**

```bash
# 1. Create types/transcodes.d.ts if it does not already exist
mkdir -p types
curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
```

```jsonc
// 2. tsconfig.json — add types/ to BOTH typeRoots and include
{
  "compilerOptions": {
    "typeRoots": ["./node_modules/@types", "./types"]
  },
  "include": ["src", "types"]
}
```

```bash
# 3. Verify
npx tsc --noEmit
```

### Next.js App Router — CDN static (DEFAULT)

> **Access pattern (CRITICAL):** Next.js renders `'use client'` components **on the server first** during SSR/RSC. Calling `transcodes.*` (or `window.transcodes.*`) at module top level or directly in a render body throws `ReferenceError` at SSR — **and `tsc` will not warn you**. Defer every SDK call into `useEffect`, an event handler, or behind a `typeof window !== 'undefined' && window.transcodes` guard. See **Framework-specific access pattern** below.

Use a **native `<script defer>` in `<head>`** — do not use `next/script` for `webworker.js`.

```tsx
// app/layout.tsx
export default function RootLayout({ children }: { children: React.ReactNode }) {
  const projectId = process.env.NEXT_PUBLIC_TRANSCODES_PROJECT_ID!;
  const cdnBase = process.env.NEXT_PUBLIC_TRANSCODES_CDN_BASE ?? '{RESOLVED_TRANSCODES_CDN_BASE}';
  return (
    <html lang="en" suppressHydrationWarning>
      <head>
        <script src={`${cdnBase}/${projectId}/webworker.js`} defer />
      </head>
      <body>{children}</body>
    </html>
  );
}
```

```bash
# .env.local
NEXT_PUBLIC_TRANSCODES_PROJECT_ID=proj_abc123xyz
# NEXT_PUBLIC_TRANSCODES_CDN_BASE — default is {RESOLVED_TRANSCODES_CDN_BASE}
```

**Then complete the TypeScript wiring (mandatory — skipping this is a compile error). `next-env.d.ts` does NOT pick up `transcodes.d.ts` automatically:**

```bash
# 1. Create types/transcodes.d.ts if it does not already exist
mkdir -p types
curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
```

```jsonc
// 2. tsconfig.json (project root) — add types/ to BOTH typeRoots and include
{
  "compilerOptions": {
    "typeRoots": ["./node_modules/@types", "./types"]
  },
  "include": ["next-env.d.ts", ".next/types/**/*.ts", "src", "types"]
}
```

```bash
# 3. Verify
npx tsc --noEmit
```

### Vue 3 + Vite — CDN static (DEFAULT)

> **Access pattern:** Vite is CSR-only — bare `transcodes.*` and explicit `window.transcodes.*` are equivalent. Use the bare form everywhere. If you migrate to Nuxt or any SSR-enabled Vue setup, switch to the SSR pattern below.

```html
<!-- index.html -->
<head>
  <script src="{RESOLVED_TRANSCODES_CDN_BASE}/%VITE_TRANSCODES_PROJECT_ID%/webworker.js" defer></script>
</head>
```

**Then complete the TypeScript wiring (mandatory — skipping this is a compile error):**

```bash
# 1. Create types/transcodes.d.ts if it does not already exist
mkdir -p types
curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
```

```jsonc
// 2. tsconfig.json — add types/ to BOTH typeRoots and include
{
  "compilerOptions": {
    "typeRoots": ["./node_modules/@types", "./types"]
  },
  "include": ["src", "types"]
}
```

```bash
# 3. Verify
npx tsc --noEmit
```

---

### Framework-specific access pattern — when to use `transcodes` vs `window.transcodes`

Both `transcodes.*` (bare) and `window.transcodes.*` (explicit) resolve to the **same object at runtime** in the browser, and both are typed by `transcodes.d.ts` (`var transcodes: Window['transcodes']`). **The choice depends entirely on where the code runs.**

> ⚠️ **TypeScript will NOT catch SSR-time absence.** The `.d.ts` declares the global as always-present. The type checker happily green-lights both forms even when they would throw `ReferenceError` at runtime on the server. This makes the framework decision below a **runtime concern that the type system cannot enforce** — you must reason about it explicitly.

| Framework / runtime                      | Module top-level / RSC / first SSR render             | `useEffect` / event handler / `onClick`             | Recommended access form                                                |
| ---------------------------------------- | ----------------------------------------------------- | --------------------------------------------------- | ---------------------------------------------------------------------- |
| **Vite** (React, Vue, Svelte) — CSR only | ✅ both work — no SSR pass                            | ✅ both work                                        | Use bare `transcodes.*` everywhere. Equivalent and shorter.            |
| **Create React App** / Parcel — CSR only | ✅ both work                                          | ✅ both work                                        | Use bare `transcodes.*` everywhere.                                    |
| **Next.js App Router** (RSC + SSR)       | ❌ both throw `ReferenceError` (renders in Node first) | ✅ both work (browser only)                         | Inside `'use client'` + `useEffect` / handler: bare `transcodes.*`. Outside that scope: guard with `typeof window !== 'undefined' && window.transcodes`. |
| **Next.js Pages Router** (`getServerSideProps`, `getStaticProps`) | ❌ both throw on the server | ✅ both work in `useEffect` / handlers | Same as App Router. Never call SDK in `getServerSideProps` / `getStaticProps`. |
| **Remix / React Router (Framework Mode)** | ❌ both throw in loaders / actions / SSR             | ✅ both work in component effects                  | Same as Next.js — gate behind effects or feature-detection.            |
| **Astro / Qwik** (islands + SSR)         | ❌ both throw at SSR                                  | ✅ both work inside client islands                  | Use bare `transcodes.*` inside client-only directives (`client:load`, `client:idle`, etc.). |

**Decision rule for code samples:**

1. **Pure CSR project (Vite / CRA / Vue SPA / static HTML)** → use bare `transcodes.*` everywhere. Concise and equivalent.
2. **Any framework with SSR / RSC / static-generation phase (Next.js / Remix / Astro / SvelteKit)** → bare `transcodes.*` is fine **only inside browser-only code paths** (`useEffect`, `useLayoutEffect`, event handlers, components after `'use client'` + post-mount). Anywhere else, use the explicit `window.transcodes` form **with an SSR guard** so `tsc` and bundler don't mask the runtime hazard.

**Idiomatic SSR-safe access patterns:**

```tsx
// Next.js App Router — 'use client' + useEffect (preferred)
'use client';
import { useEffect } from 'react';

export function LoginButton() {
  // ❌ WRONG — runs at first SSR pass, transcodes is undefined on the server
  // const isAuth = await transcodes.token.isAuthenticated();

  useEffect(() => {
    // ✅ OK — useEffect only runs in the browser
    transcodes.token.isAuthenticated().then((isAuth) => {
      // ...
    });
  }, []);

  return <button onClick={() => {
    transcodes.redirectToSignIn({ redirectUri: `${window.location.origin}/auth/callback` });
  }}>Sign in</button>;
}
```

```ts
// Anywhere outside an effect / handler in an SSR framework — feature-detect first.
// The window.transcodes form pairs naturally with `typeof window !== 'undefined'`.
function isTranscodesReady(): boolean {
  return typeof window !== 'undefined' && Boolean(window.transcodes);
}

if (isTranscodesReady()) {
  // Inside the guarded block, bare `transcodes.*` is safe to call.
  await transcodes.token.isAuthenticated();
}
```

```ts
// AVOID — the bare form silently breaks SSR because TS doesn't see the gap.
// In Next.js / Remix / Astro this throws at SSR build / render time.
const isAuth = await transcodes.token.isAuthenticated(); // ❌ at module top level
```

**Why prefer `window.transcodes` for the guard but `transcodes.*` for the call?**

- `typeof window !== 'undefined' && window.transcodes` is the canonical SSR feature-detection idiom — every Next.js / Remix codebase has it. Reviewers immediately recognise the intent.
- After the guard establishes browser context, switching to bare `transcodes.*` for the actual calls keeps the call sites short and matches the rest of the documentation.
- TypeScript narrows neither form (the `.d.ts` always promises `transcodes` exists), so the guard is purely a **runtime safety contract**, not a type-narrowing trick.

---

### npm fallback variants (legacy exception only)

Do not generate npm fallback variants from this guide. If the user explicitly opts out of CDN static, verify the current package API first and keep that legacy implementation separate from the CDN static path.

---

## Quick start example (CDN static — Authentication-only DEFAULT)

**This is the default. Generate this — not an npm/`init()` variant — unless the user explicitly asks otherwise.**
For installable PWA, add the manifest and `public/sw.js` from Section 1 after this Authentication-only setup.

```html
<!DOCTYPE html>
<html>
<head>
  <script src="{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/webworker.js" defer></script>
</head>
<body>
  <button id="login">Sign in</button>
  <button id="logout" style="display:none">Sign out</button>
  <p id="status">Not signed in</p>

  <script defer>
    // React to auth state changes
    transcodes.on('AUTH_STATE_CHANGED', ({ isAuthenticated, member }) => {
      document.getElementById('status').textContent =
        isAuthenticated ? `Hello, ${member?.email}` : 'Not signed in';
      document.getElementById('login').style.display = isAuthenticated ? 'none' : '';
      document.getElementById('logout').style.display = isAuthenticated ? '' : 'none';
    });

    // Hosted sign-in
    document.getElementById('login').onclick = () => {
      transcodes.redirectToSignIn({
        redirectUri: `${window.location.origin}/auth/callback`,
      });
    };

    // Sign out
    document.getElementById('logout').onclick = () => transcodes.token.signOut();
  </script>
</body>
</html>
```

---

## CDN TypeScript setup — MANDATORY

The CDN static path is the default integration method, and **`transcodes.d.ts` is a required part of it for any TypeScript project.** Without it, `window.transcodes` is `any` and the SDK call sites do not type-check — worse, with `strict` mode enabled the project will fail to compile (`Property 'transcodes' does not exist on type 'Window'`).

**Do not assume the file is already in the repo. Verify, then create it if missing.**

### Step 1 — Check `transcodes.d.ts` exists; if not, create it

Search the repo for an existing `transcodes.d.ts` (typical locations: `types/transcodes.d.ts`, `src/types/transcodes.d.ts`, or any path on `tsconfig.json` `include`).

- **If the file is MISSING → create it now.** This is mandatory, not optional. The canonical source is `https://www.transcodes.io/instructions/types` (you can also download/copy the same file from the Transcodes Console):

  ```bash
  mkdir -p types
  curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
  ```

- **If the file EXISTS → confirm it is current** by re-running the `curl` (it overwrites the local copy with the latest CDN version). Stale `.d.ts` files cause subtle "method not found" errors when the SDK adds new APIs.

### Step 2 — Edit `tsconfig.json` (TypeScript projects only — REQUIRED)

**Skipping this step causes compile errors.** The TypeScript compiler will not pick up `transcodes.d.ts` unless its directory is on `include` and/or `typeRoots`. Update `tsconfig.json` like this:

```jsonc
{
  "compilerOptions": {
    // include the project-local types directory in addition to node_modules/@types
    "typeRoots": ["./node_modules/@types", "./types"]
  },
  // ensure the types/ directory is part of the compilation (not just typeRoots)
  "include": ["src", "types"]
}
```

If you used a different folder name in Step 1 (e.g. `src/types/`), match it in both `typeRoots` and `include`.

For Next.js projects, add the same paths to the **root** `tsconfig.json`. Do **not** rely on auto-generated `next-env.d.ts` to pick up `transcodes.d.ts` — it will not.

### Step 3 — Verify the compiler is happy

Run a no-emit type check to confirm the wiring:

```bash
npx tsc --noEmit
```

If `window.transcodes` is still untyped, `tsconfig.json` was edited incorrectly — re-check that the directory containing `transcodes.d.ts` appears in **both** `include` AND `typeRoots`, and that the file path is exactly `<dir>/transcodes.d.ts`.

After Steps 1–3, `window.transcodes`, `transcodes.redirectToSignIn`, `transcodes.token.getCurrentMember()`, etc. are fully typed.

### Notes for the CDN static path

- **Do NOT call `init()`.** `webworker.js` bootstraps `window.transcodes` automatically. The `.d.ts` may still declare `init` (it is shared with the npm package) — ignore that export on the CDN static path.
- Re-run `curl` periodically (or as part of CI) so the local `transcodes.d.ts` stays in sync with the CDN.

### npm fallback only

When the user has explicitly chosen the npm SDK fallback, TypeScript types ship with the package and **no** extra `transcodes.d.ts` file is needed (and no `tsconfig.json` edit either). This exemption applies only to the npm fallback — not to the default CDN static path.

---

## React SDK helper aliases (recommended)

Use small local helper aliases in React apps when that makes components easier to read. **Default to CDN static**: read everything off the bare `transcodes` global (typed via `transcodes.d.ts`). Hosted redirect APIs do not share the old modal return shape, so do not reuse modal payload handling for CDN static integrations.

**CDN static (DEFAULT):**

```tsx
// src/lib/transcodes-client.ts — CDN static
// transcodes.d.ts must be installed (see "CDN TypeScript setup")
const sdkIsAuthenticated = () => transcodes.token.isAuthenticated();
const redirectToHostedSignIn = (redirectUri: string) =>
  transcodes.redirectToSignIn({ redirectUri });
const redirectToHostedConsole = (redirectUri: string) =>
  transcodes.redirectToConsole({ redirectUri });
const redirectToHostedStepUp = (params: { resource: string; action: 'create' | 'read' | 'update' | 'delete' }) =>
  transcodes.redirectToStepUp(params);
const sdkSignOut = () => transcodes.token.signOut();
const on = transcodes.on.bind(transcodes);
// Use these helpers inside browser-only React handlers/effects.
```

No npm React helper variant is provided because generated integrations should use CDN static.

---

## npm fallback examples — omitted for generated integrations

The npm SDK is deprecated for new integrations. Do not generate React quick starts from the npm SDK fallback; use the CDN static quick start above.

---

## Step-up MFA example (CDN static — DEFAULT)

Use before any sensitive action. This example shows the **default CDN static** flow via the bare `transcodes` global. No npm step-up variant is provided because generated integrations should use CDN static.

**CDN step-up with all mandatory steps:**

```typescript
// CDN step-up implementation
// Resolve resource/action from MCP / Console first. If unavailable, ask the user and stop.
async function deleteUser(userId: string) {
  try {
    const resource = resolvedResource; // resolved via get_resources or explicit user input
    const action = resolvedAction;     // resolved from the protected operation

    // 1. RBAC gate + hosted step-up when permission level is 2
    const gate = await transcodes.redirectToStepUp({
      resource,
      action,
      redirectUri: `${window.location.origin}/auth/stepup-callback`,
    });

    // SUCCESS CHECKS before using sid
    if (!gate.success || !gate.payload[0]) {
      throw new Error(gate.error || 'Step-up failed');
    }

    const decision = gate.payload[0];
    if (decision.decision === 'deny') {
      throw new Error('RBAC denied');
    }
    if (decision.decision === 'allow') {
      throw new Error('Step-up was not required by RBAC; expected permission level 2');
    }
    if (decision.status !== 'verified' || !decision.sid) {
      throw new Error('Step-up was not verified');
    }

    // Send verified sid to YOUR backend
    await fetch(`/api/users/${userId}`, {
      method: 'DELETE',
      headers: {
        Authorization: `Bearer ${await transcodes.token.getAccessToken()}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ sid: decision.sid }),
    });
    // YOUR backend calls: GET https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sid}
    // with header `x-transcodes-token: <MEMBER_API_TOKEN>` to verify before executing the action.

    // 4. Audit log success
    await transcodes.trackUserAction({
      tag: 'user:delete',
      severity: 'high',
      status: true,
      metadata: { userId },
    });
  } catch (err) {
    // 5. Audit log failure
    await transcodes.trackUserAction({
      tag: 'user:delete',
      severity: 'high',
      status: false,
      error: (err as Error).message,
      metadata: { userId },
    });
  }
}
```

---

<!-- section:server-jwt:start -->
## Server-side JWT verification

When you create an Authentication Cluster, you receive a `public_key.json` file (EC P-256 / ES256). Use this key to verify JWTs issued by Transcodes on your server. No JWKS endpoint or remote key fetch is needed.

Flow:
1. Client calls `await getAccessToken()` to get the JWT
2. Client sends the token to your backend via `Authorization: Bearer <token>`
3. Your backend verifies the token locally using `public_key.json`

`public_key.json` format (download from Console → Authentication Cluster):
```json
{
  "kty": "EC",
  "x": "...",
  "y": "...",
  "crv": "P-256",
  "alg": "ES256",
  "kid": "..."
}
```

If you regenerate the public key in the Console, the previous key becomes invalid. Update `public_key.json` on your server immediately.

### Node.js / Next.js (jose)

```typescript
// npm install jose
import { importJWK, jwtVerify, type JWTPayload } from 'jose';

// Paste your public_key.json content here, or import from a file
const TRANSCODES_PUBLIC_JWK = {
  kty: 'EC',
  x: '...',
  y: '...',
  crv: 'P-256',
  alg: 'ES256',
  kid: '...',
};

let _publicKey: Awaited<ReturnType<typeof importJWK>> | null = null;

async function getPublicKey() {
  if (!_publicKey) {
    _publicKey = await importJWK(TRANSCODES_PUBLIC_JWK, 'ES256');
  }
  return _publicKey;
}

async function verifyToken(token: string): Promise<JWTPayload> {
  const publicKey = await getPublicKey();
  const { payload } = await jwtVerify(token, publicKey);
  return payload;
}
```

Express middleware:
```typescript
app.use(async (req, res, next) => {
  const auth = req.headers.authorization;
  if (!auth?.startsWith('Bearer ')) return res.status(401).json({ error: 'No token' });
  try {
    req.member = await verifyToken(auth.slice(7));
    next();
  } catch {
    res.status(401).json({ error: 'Invalid or expired token' });
  }
});
```

Next.js middleware / route handler:
```typescript
import { importJWK, jwtVerify, type JWTPayload } from 'jose';
import { NextRequest, NextResponse } from 'next/server';

const TRANSCODES_PUBLIC_JWK = { /* paste public_key.json */ };

let _publicKey: Awaited<ReturnType<typeof importJWK>> | null = null;
async function getPublicKey() {
  if (!_publicKey) _publicKey = await importJWK(TRANSCODES_PUBLIC_JWK, 'ES256');
  return _publicKey;
}

export async function verifyAuth(req: NextRequest): Promise<{ payload: JWTPayload } | NextResponse> {
  const authHeader = req.headers.get('authorization');
  if (!authHeader?.startsWith('Bearer ')) {
    return NextResponse.json({ error: 'No token' }, { status: 401 });
  }
  try {
    const publicKey = await getPublicKey();
    const { payload } = await jwtVerify(authHeader.slice(7), publicKey);
    return { payload };
  } catch {
    return NextResponse.json({ error: 'Invalid or expired token' }, { status: 401 });
  }
}
```

### Python (PyJWT)

```python
# pip install pyjwt cryptography
import jwt

PUBLIC_KEY_JWK = {
    "kty": "EC",
    "x": "...",
    "y": "...",
    "crv": "P-256",
    "alg": "ES256",
    "kid": "...",
}

_public_key = jwt.algorithms.ECAlgorithm.from_jwk(PUBLIC_KEY_JWK)

def verify_token(token: str) -> dict:
    return jwt.decode(token, _public_key, algorithms=["ES256"])
```

<!-- section:server-jwt:end -->

<!-- section:csp:start -->
## CSP (Content Security Policy)

At minimum, allow the CDN for the SDK script (`script-src`) and the REST API host for SDK fetches (`connect-src`). Hosted sign-in, console, and step-up navigate to the auth app as a top-level redirect or a new tab; they do **not** require `frame-src` in the current hosted redirect flow. If your app already uses the CSP `navigate-to` directive, include `{RESOLVED_TRANSCODES_AUTH_ORIGIN}` there.

```html
<meta
  http-equiv="Content-Security-Policy"
  content="
    script-src  'self' {RESOLVED_TRANSCODES_CDN_BASE};
    connect-src 'self' {RESOLVED_TRANSCODES_API_ORIGIN};
  "
/>
```

<!-- section:csp:end -->

---

<!-- section:webauthn:start -->
## Hosted WebAuthn and Redirect Origins

**Current NestJS SSOT (2026-06):** In the hosted auth architecture, passkey/authenticator WebAuthn ceremonies run on the dedicated auth app (`https://auth.transcodes.io` in prod, dev override supported). Customer apps do not create, serve, or verify a WebAuthn related-origins file for the normal hosted sign-in, console, or step-up flows.

`authentication.related_origins` is used by `TempSessionService` as the allow-list for hosted sign-in `redirect_uri` callback origins. Treat it as sign-in redirect configuration only. Do not use it to build WebAuthn ceremony origin lists.

### Agent rules

- Do **not** create or rewrite `/.well-known/webauthn` in the customer repository for normal generated integrations.
- Do **not** synthesize an `origins` array from `project.domain_url`, `https://auth.transcodes.io`, and `authentication.related_origins`.
- If `redirectToSignIn()` must return to a preview URL, alias, subdomain, custom domain, or localhost URL, add that full callback origin in Console -> Authentication -> Related origins.
- Never remove or rewrite existing `authentication.related_origins` entries unless the user explicitly asks. Removing them can break hosted sign-in callback validation.
- If a user explicitly asks for customer-domain WebAuthn setup, stop and verify the current backend contract first. This frontend integration guide does not require or describe that setup.

### Integration record

In `.transcodes/integration.md`, record only this:

- Hosted WebAuthn: `handled by https://auth.transcodes.io` (or the configured dev auth app).
- Customer `/.well-known/webauthn`: `not generated for hosted redirect flow`.
- Hosted sign-in callback origins: list `project.domain_url` plus any saved `authentication.related_origins` values that are needed for sign-in callbacks.

If `authentication.related_origins` is absent or empty, record `[]`. This is valid and does not require any customer WebAuthn file.

<!-- section:webauthn:end -->

---

## Release Checklist

Use this checklist before outputting final code:

0. **Integration method = CDN static** — Authentication-only uses one `<script src="…/webworker.js" defer></script>` in HTML `<head>`. Add `<link rel="manifest">` and `public/sw.js` (one-line `importScripts`) only for installable PWA/Web App Kit. The script tag has `defer` only — **no `type="module"`, no `crossorigin`, no `async`**. The npm SDK fallback is used **only** if the user explicitly opted out of CDN static.
0a. **`transcodes.d.ts` is installed AND `tsconfig.json` is wired** for any TypeScript project on the CDN static path. All three sub-steps must be done — verify, do not assume:
    - `transcodes.d.ts` exists in the repo (e.g. `types/transcodes.d.ts`). If it was missing, you fetched it from `https://www.transcodes.io/instructions/types` (not from memory).
    - `tsconfig.json` includes the directory in **both** `include` AND `typeRoots`. **Skipping this is a guaranteed compile error.**
    - `npx tsc --noEmit` passes (or the project's equivalent type-check command).
0b. **No `init()` call** on the CDN static path. (`init({ projectId })` appears only in confirmed npm fallback code.)
1. `projectId`, JWT issuer, and server-side Transcodes token (`x-transcodes-token`) are resolved or explicitly requested from the user.
2. Only the hosted redirect APIs are generated by default:
   - `redirectToSignIn(options?)`
   - `redirectToConsole(options?)`
   - `redirectToStepUp({ resource, action, redirectUri?, comment? })`
   Direct `openAuth*` calls are used only after verifying the current entry binds the matching modal factory.
3. All async SDK methods use `await`.
4. Every SDK result checks outer `result.success` before reading `payload`.
5. `redirectToStepUp()` checks outer `result.success`, then branches on `result.payload[0]?.decision`; a verified `sid` is required before executing the protected operation.
6. Step-up flows send the verified `sid` to the app backend, and the backend verifies it with:
   - `GET https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sid}`
   - header `x-transcodes-token: <MEMBER_API_TOKEN>` (server-only JWT issued from the Console; different from `TRANSCODES_TOKEN` used by MCP)
7. Protected console and step-up flows are preceded by `await isAuthenticated()` or an equivalent app session guard.
8. Event subscriptions return and use `unsubscribe` on cleanup.
9. Audit log tags use `entity:action` format.
10. Sensitive operations log both success and failure.
11. `resource` is resolved via `get_resources` or explicit user input; never guessed.
12. **No customer WebAuthn endpoint** — hosted WebAuthn ceremonies run on the auth app, and `authentication.related_origins` is only for hosted sign-in callback validation. Do not generate `/.well-known/webauthn` for normal integrations.
13. Final code contains no unresolved placeholders.

---

## [Agent Rule — .transcodes Integration Record]

### After completing Transcodes frontend integration

When the initial installation and configuration of Transcodes is finished, **you MUST create a `.transcodes/` folder** in the project root and generate a documentation file that records how each Transcodes API was used.

**Create:** `.transcodes/integration.md`

The file must contain:

1. **Project info** — Project ID, integration method (`CDN static` is the default; record `npm` only if the user explicitly chose it), framework
2. **redirectToSignIn** — where it is called, which component/page, any options used (e.g. `redirectUri`)
3. **redirectToConsole** — where it is called, which component/page, any options used
4. **redirectToStepUp** — where it is called, which `resource` and `action` values were used, callback path, and backend verification endpoint
5. **Transcodes MCP** — if used: which tools (e.g. members, roles, audit logs), and how the project is configured
6. **trackUserAction** — every call site, the `tag` used, `severity`, what `metadata` is passed
7. **Events** — which events are subscribed to (`AUTH_STATE_CHANGED`, `TOKEN_EXPIRED`, etc.) and where
8. **Server-side** — whether JWT verification is implemented, which endpoint, which library
9. **Hosted WebAuthn / redirect origins** — record that hosted WebAuthn is handled by `https://auth.transcodes.io`, customer `/.well-known/webauthn` was not generated, and `authentication.related_origins` is used only as the hosted sign-in callback allow-list (`[]` if empty / absent).

Format each entry as a table or bullet list with: **file path**, **function/component name**, **parameters**, and **purpose**.

Example structure:

```
# Transcodes Integration Record

## Project
- Project ID: proj_abc123
- Method: CDN static (`<script defer>` + `transcodes.d.ts`)
- Framework: Next.js 15 App Router
- TypeScript: `types/transcodes.d.ts` created from https://www.transcodes.io/instructions/types; `tsconfig.json` updated (`include` + `typeRoots` both contain `./types`); `npx tsc --noEmit` passes.

## redirectToSignIn
| File | Component | Options | Purpose |
|------|-----------|---------|---------|
| src/app/components/LoginButton.tsx | LoginButton | redirectUri: /auth/callback | Main hosted sign-in flow |

## redirectToConsole
| File | Component | Options | Purpose |
|------|-----------|---------|---------|
| src/app/components/SettingsButton.tsx | SettingsButton | redirectUri: /auth/console-callback | Hosted member self-service |

## redirectToStepUp
| File | Component | resource | action | Purpose |
|------|-----------|----------|--------|---------|
| src/app/admin/DeleteUser.tsx | DeleteUserButton | system | delete | Hosted step-up before sensitive deletion |

## trackUserAction
| File | tag | severity | metadata keys | Purpose |
|------|-----|----------|---------------|---------|
| src/app/admin/DeleteUser.tsx | user:delete | high | userId | Audit log for user deletion |
| src/app/payments/Checkout.tsx | payment:process | high | amount, currency | Payment audit trail |

## Hosted WebAuthn / redirect origins
- **Hosted WebAuthn:** handled by `https://auth.transcodes.io`
- **Customer `/.well-known/webauthn`:** not generated for hosted redirect flow
- **Hosted sign-in callback origins:** `project.domain_url` plus `get_project.authentication.related_origins`
- **`authentication.related_origins` snapshot (YYYY-MM-DD):**
  ```json
  []
  ```
- **Verified:** no customer WebAuthn endpoint required for hosted redirect flow
```

### Before modifying or extending an existing Transcodes integration

**[Agent Rule — always read .transcodes first]** When the user asks to modify, refactor, or extend any Transcodes integration code, **you MUST read `.transcodes/integration.md` BEFORE making any changes.** This file is the single source of truth for how the integration is wired. Use it to:

- Understand which APIs are used and where
- Avoid breaking existing call sites
- Keep the documentation in sync — **update `.transcodes/integration.md` after every change**

If `.transcodes/integration.md` does not exist yet, create it by scanning the codebase for all Transcodes API call sites first.

#### Pre-flight: hosted redirect origins

**[Agent Rule]** Before any Transcodes-related change, read `.transcodes/integration.md`. For hosted redirect integrations, do not look for or generate `/.well-known/webauthn`. If a new sign-in callback origin (preview URL, subdomain, alias, custom domain, or localhost URL) is introduced, add that full origin to `authentication.related_origins` in Console -> Authentication -> Related origins before relying on hosted sign-in redirects.

#### Before adding a new feature on top of an existing integration

**[Agent Rule]** First confirm via `.transcodes/integration.md` (and grep if unclear) that the feature isn't already implemented — duplicate call sites, `trackUserAction` tags, or `resource:action` pairs are bugs. Then run the pre-flight above. After the change, update `.transcodes/integration.md`.

---

## Browser support

| Browser | Minimum |
| ------- | ------- |
| Chrome  | 67+     |
| Safari  | 14+     |
| Firefox | 60+     |
| Edge    | 79+     |

WebAuthn requires **HTTPS** in production. `localhost` / `127.0.0.1` work for development.

---

## Scope: Transcodes vs Your App

| Transcodes SDK handles              | Your app should implement               |
| ----------------------------------- | --------------------------------------- |
| Passkey credential storage          | XSS / CSRF protection                   |
| JWT issuance and refresh            | Application-level authorization logic   |
| WebAuthn ceremony (challenge/verify)| Server-side JWT verification            |
| UI modals (login, console, step-up) | HTTPS in production                     |
| Token memory management             | Rate limiting on your API               |

### Recommended frontend implementations

**XSS Protection:**
- Sanitize user input before rendering (`DOMPurify` or framework-native escaping)
- Set `Content-Security-Policy` headers (see CSP section above)
- Avoid `innerHTML` / `dangerouslySetInnerHTML` with untrusted data

**CSRF Protection:**
- Use `SameSite=Strict` or `SameSite=Lax` on cookies
- Add CSRF tokens on state-mutating requests if using cookie-based sessions
- Transcodes JWT is stored in memory (not cookies), so XSS is the primary vector to guard against

**HTTPS:**
- Required for WebAuthn in production (`localhost` is exempt for development)
- Use reverse proxy (nginx, Cloudflare, Vercel) or platform-managed TLS

**Rate Limiting:**
```typescript
// Example: express-rate-limit
import rateLimit from 'express-rate-limit';

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100,                  // 100 requests per window per IP
});

app.use('/api/', limiter);
```

---

## Links

- [Full docs](https://www.transcodes.io/docs)
- [MCP Server Setup](https://www.transcodes.io/docs/mcp-server)
- [API Reference](https://www.transcodes.io/docs/api-reference)
- [Quick Integration](https://www.transcodes.io/docs/quick-integration)
- [Console](https://app.transcodes.io)

---

## Video Tutorials

**[Agent Instruction for Videos]** Append the relevant video link when generating complex setups.

### General Setup & Demos
- **Organization & Project Creation**
  - **Description**: Shows how to create an organization and a project from the Transcodes Console.
  - **When to show**: When the user is just starting out, asks how to create an account, or needs to set up their first workspace.
  - **Link**: [Watch Video](https://player.mux.com/wS301Khp4BQzGhcNGqeRcDRtDqN600HdEXThbIIqTSK8w?metadata-video-title=getting_started&video-title=getting_started)
- **Creating Auth and Optional PWA Clusters**
  - **Description**: Demonstrates how to create and configure Authentication, plus PWA settings when installable Web App Kit is needed.
  - **When to show**: When the user asks how to enable auth/PWA, or is stuck on the "Console prerequisite" step.
  - **Link**: [Watch Video](https://player.mux.com/74dnHn2e8BRKw99r1nCH7qG7YasJjDdaeXYezgdWqBY?metadata-video-title=project_setup_node&video-title=project_setup_node)
- **Official Authentication Demo**
  - **Description**: A complete walkthrough of the Transcodes authentication flow (passkey, step-up MFA) from an end-user perspective.
  - **When to show**: When the user asks "what does the login look like?" or wants to see the final product in action.
  - **Link**: [Watch Video](https://player.mux.com/c9GY3lWAi2E3gZzLkolhil87rg28S8dfA1SLBSc8N00k?metadata-video-title=official_demo_complete&video-title=official_demo_complete)
- **Official PWA Demo**
  - **Description**: Shows the PWA installation process and how the app looks when installed on a device.
  - **When to show**: When the user asks "how does the PWA install work?" or wants to see the PWA UX.
  - **Link**: [Watch Video](https://player.mux.com/PA00U9vVASatqGU3iw5sFemijDKi1vskPFUjWmoXx902Q?metadata-video-title=getting_started_pwa&video-title=getting_started_pwa)

### Authentication Kit
- **Customizing Modal Branding**
  - **Description**: How to change the logo, colors, and styling of the authentication modals via the Console.
  - **When to show**: When the user asks how to change the modal color, add their logo, or customize the UI.
  - **Link**: [Watch Video](https://player.mux.com/DbWrDD5TOC17mH2POv1Ib01Azez2fZobXDMmElMXDhbY?metadata-video-title=auth_branding&video-title=auth_branding)
- **Setting up RBAC (Role-Based Access Control)**
  - **Description**: How to define roles, permissions, and assign them to members in the Console.
  - **When to show**: When the user asks about role-based access control, how to restrict access, or how roles map to permissions in the Console.
  - **Link**: [Watch Video](https://player.mux.com/1RDl5VEY602DNguYqjVDK6PaQ00B9CD01yDcYD6HiF5mi8?metadata-video-title=auth_rbac&video-title=auth_rbac)
- **Configuring Webhooks**
  - **Description**: How to set up Slack/Discord webhooks to get notified on user logins or actions.
  - **When to show**: When the user asks about notifications, Slack integrations, or webhook parameters in the API.
  - **Link**: [Watch Video](https://player.mux.com/YeyzMIwwN800v9zYVc8dKKrvCTy02EJ713mZJfZ1soBnw?metadata-video-title=auth_webhook&video-title=auth_webhook)
- **Viewing Audit Logs**
  - **Description**: How to view and filter user action logs in the Transcodes Console.
  - **When to show**: When the user asks where to see the logs generated by `trackUserAction` or wants to monitor user activity.
  - **Link**: [Watch Video](https://player.mux.com/HK00WvGEok500415CmQ7TavCStVG3t3YgNHNih8K02Z9028?metadata-video-title=auth_audit&video-title=auth_audit)
- **Server-side Auth (JWT Verification)**
  - **Description**: How to verify Transcodes JWTs on a backend server using `public_key.json` (ES256 / `jose`).
  - **When to show**: When the user asks how to protect their backend API or verify tokens server-side.
  - **Link**: [Watch Video](https://player.mux.com/qtgRGW1DB006D6JTNYIyWy01uGy014YXOufbCUYr00p1oZ4?metadata-video-title=auth_json&video-title=auth_json)
- **Authentication Backup Methods**
  - **Description**: Setting up fallback authentication methods (like email or TOTP) when passkeys aren't available.
  - **When to show**: When the user asks "what if the user loses their passkey?" or wants to enable email/TOTP login.
  - **Link**: [Watch Video](https://player.mux.com/I4OctRguqJvaqRFE9uL6oQTIjZNBWqhrBpNzFfkJJO4?metadata-video-title=auth_backup&video-title=auth_backup)

### PWA / Web App Kit
- **CDN static Installation (index.html)**
  - **Description**: How to add native `<script src="…/webworker.js" defer></script>` in `<head>` for Authentication-only; add `<link rel="manifest">` and `public/sw.js` only for installable PWA/Web App Kit; fetch **https://www.transcodes.io/instructions/types**, save as `transcodes.d.ts`, wire `tsconfig.json`; the CDN static path needs no `init()`.
  - **When to show**: When the user is setting up the default CDN static integration, asks where to put the script tag, or asks what extra assets PWA needs.
  - **Link**: [Watch Video](https://player.mux.com/PQCWSkHiBYjhWkJXlsHu7w5Ha9U2oWnDGtAjbaCo1Go?metadata-video-title=pwa_auth_installation&video-title=pwa_auth_installation)
- **PWA Installation Simulation**
  - **Description**: Simulates the user experience of installing the PWA.
  - **When to show**: When the user wants to understand the install prompt flow.
  - **Link**: [Watch Video](https://player.mux.com/HAp2zjaue756ndCwdQ02PsJGjZk01Ft75r101hhDSeE93Y?metadata-video-title=pwa_installation&video-title=pwa_installation)
- **Rich Install Screenshots Setup**
  - **Description**: How to upload and configure screenshots that appear in the PWA install prompt.
  - **When to show**: When the user asks how to add images to the install prompt or configure rich install UI.
  - **Link**: [Watch Video](https://player.mux.com/blZ00ZnVCN00RMow02DL4fMwCBTdjSXNtJRPbO7jEFm4jU?metadata-video-title=pwa_screenshot&video-title=pwa_screenshot)
- **Widget Component Configuration**
  - **Description**: How to configure the floating PWA install widget.
  - **When to show**: When the user asks about the install button or widget configuration.
  - **Link**: [Watch Video](https://player.mux.com/QfE008xqjTzHLjoGabizmqU00fdb7ZGrwve1QgpFeJU6g?metadata-video-title=pwa_widget&video-title=pwa_widget)
- **Manifest Configuration**
  - **Description**: How to set up the PWA manifest details (name, short name, theme color, display mode) in the Console.
  - **When to show**: When the user asks how to change the app name, colors, or display settings for the PWA.
  - **Link**: [Watch Video](https://player.mux.com/JEm5F02GQfAWlNWxujqt8B9ScTXSCvs00RzraM9YHF01Ds?metadata-video-title=pwa_configuration&video-title=pwa_configuration)
- **Custom Icon Setup**
  - **Description**: How to upload a base icon and have Transcodes automatically generate all required manifest icon sizes.
  - **When to show**: When the user asks how to set the app icon for the home screen.
  - **Link**: [Watch Video](https://player.mux.com/W2Gs4TJThlEkOW3m017RtP00ZsbkP01ZP6y7JoCrkTe5no?metadata-video-title=pwa_icon&video-title=pwa_icon)
- **PWA Cache Settings**
  - **Description**: How to configure offline caching strategies via the Transcodes Console.
  - **When to show**: When the user asks about offline support or caching static assets.
  - **Link**: [Watch Video](https://player.mux.com/39ieyO856vgEacy0136q3qHEQEEQaokRl9vgPS8hizgE?metadata-video-title=pwa_cache&video-title=pwa_cache)

---

<!-- section:troubleshooting:start -->
## Troubleshooting

Use this section when something is not working. Each entry maps **symptom → cause → fix**.

---

## PWA / sw.js

### GET /sw.js → 404
- **Cause**: `public/sw.js` does not exist in the repo, but the browser is requesting it because Transcodes PWA wiring is (or was) active.
- **Diagnosis**: Check if `public/sw.js` is present. Check browser DevTools → Application → Service Workers for stale registrations.
- **Fix**: Create `public/sw.js` with exactly one line:
  ```javascript
  importScripts('{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/sw.js');
  ```
- **If PWA is not needed**: Remove `<link rel="manifest">` and stale service worker registration/imports, but keep `<script src="…/webworker.js" defer></script>` if Authentication-only is still used. Clear stale SW via DevTools → Application → Service Workers → Unregister.

### PWA install prompt never appears
- **Cause 1**: `public/sw.js` is missing → browser cannot register the service worker.
- **Cause 2**: `<link rel="manifest">` is missing from `<head>`.
- **Cause 3**: Site is not served over HTTPS (required for WebAuthn / PWA).
- **Fix**: Confirm all three: manifest link in `<head>`, `sw.js` served at `/sw.js`, HTTPS in production.

### manifest.json → 404
- **Cause**: Using a local `manifest.json` path that does not exist instead of the CDN URL.
- **Fix**: Use `href="{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/manifest.json"` — do not create a local file.

---

## SDK loading (CDN static)

### Should I use the npm SDK instead?
- **Default answer: NO.** Use CDN static (`<script src="…/webworker.js" defer></script>` in `<head>` + `transcodes.d.ts`). The npm SDK is a fallback used only when the user explicitly opts out of CDN static — for example, an environment with no controllable HTML `<head>`.
- **If you already wired npm without asking**: Switch to CDN static unless the user has confirmed they need npm.

### `window.transcodes` is undefined
- **Cause 1**: `<script src=".../webworker.js" defer>` is missing from `<head>` — or placed in `<body>` after scripts that depend on it.
- **Cause 2**: Code accessed `window.transcodes` before the deferred script finished executing. Deferred scripts run after HTML parsing but before `DOMContentLoaded`.
- **Cause 3**: The script was loaded with the wrong attributes — e.g. `type="module"`, `async`, or wrapped in Next.js `<Script>`. Use **plain `<script src defer>`** only.
- **Cause 4**: Next.js `<Script strategy="beforeInteractive">` or any framework loader was used instead of a native `<script>` in `<head>`.
- **Fix**: Place exactly `<script src="{RESOLVED_TRANSCODES_CDN_BASE}/{RESOLVED_PROJECT_ID}/webworker.js" defer></script>` inside `<head>`. Gate usage on `window.transcodes` existing, on `DOMContentLoaded`, or subscribe to `AUTH_STATE_CHANGED` instead of reading on load.

### `ReferenceError: transcodes is not defined` (or `window is not defined`) on the server
- **Symptom**: Build/runtime error during Next.js SSR/RSC, Remix loader, Astro SSR, SvelteKit prerender, or `next build` — the stack trace points at `transcodes.*` or `window.transcodes.*`.
- **Cause**: The SDK call ran in a server context (Node) where neither the `transcodes` global nor `window` exists. Common triggers:
  - Bare `transcodes.token.isAuthenticated()` at the top of a `'use client'` file (still rendered on the server during SSR pass).
  - SDK call in a Server Component / RSC body.
  - SDK call in `getServerSideProps`, `getStaticProps`, Remix `loader` / `action`, SvelteKit `+page.server.ts`, or Astro frontmatter.
  - SDK call in module top-level of any file imported by an SSR route.
- **Why TypeScript missed it**: `transcodes.d.ts` declares `var transcodes: Window['transcodes']` as always-present. The type system has no way to know the global is missing on the server.
- **Fix**:
  - **Move the call into a browser-only path** — `useEffect`, `useLayoutEffect`, an event handler, or a post-mount callback.
  - **Or guard the call**: `if (typeof window !== 'undefined' && window.transcodes) { ... }` — works in module top-level too.
  - For Next.js, ensure the file starts with `'use client'` AND the call is inside `useEffect` (not the render body).
  - See **Framework-specific access pattern** for the per-framework matrix.

### Script tag has `type="module"` or `crossorigin` / `crossOrigin`
- **Cause**: Old documentation or muscle memory from the prior recommendation.
- **Fix**: Remove both attributes. The canonical tag is `<script src="…/webworker.js" defer></script>` — `defer` is the only attribute besides `src`.

### TypeScript compile error: `Property 'transcodes' does not exist on type 'Window & typeof globalThis'`
- **Cause A**: `transcodes.d.ts` is not in the repo at all. **This file is mandatory for the CDN static path — you must create it if it is missing.**
- **Cause B**: `transcodes.d.ts` exists, but `tsconfig.json` was never edited, so the compiler does not pick it up.
- **Cause C**: `tsconfig.json` was edited but the directory is on `typeRoots` only OR `include` only — both are required.
- **Fix (sequence — execute every step, do not skip)**:
  1. `mkdir -p types && curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types`
  2. Edit `tsconfig.json` so `types` appears in **both** `include` AND `typeRoots`:
     ```jsonc
     {
       "compilerOptions": { "typeRoots": ["./node_modules/@types", "./types"] },
       "include": ["src", "types"]
     }
     ```
  3. `npx tsc --noEmit` — if the error is gone, you are done.
- See **CDN TypeScript setup** for the canonical procedure.

### TypeScript error: `window.transcodes` has no type / implicit `any` (non-strict mode)
- **Cause**: Same as above (missing `transcodes.d.ts` or unedited `tsconfig.json`). Without `strict`/`noImplicitAny` the compiler does not crash, but every SDK call site falls back to `any` — you lose autocomplete and type checks.
- **Fix**: Same 3-step sequence as the compile error above.

### `init is not a function` or calling `init()` breaks the CDN static flow
- **Cause**: `init()` is only for the npm SDK fallback path. The CDN static path bootstraps automatically — `init()` must NOT be called.
- **Fix**: Remove the `init()` call. Confirm the integration is CDN static (a `<script src defer>` in `<head>`), not npm.

---

## Hosted auth redirects

### Redirect does not start / nothing happens
- **Cause 1**: `await` missing or errors ignored — hosted auth APIs return a Promise and failures must be handled.
- **Cause 2**: `isAuthenticated()` missing `await` — always returns a truthy Promise object, so the auth guard short-circuits.
- **Cause 3**: `redirectToStepUp()` was not called directly from a user click/submit handler, so the browser blocked the placeholder auth tab.
- **Fix**: Always `await` every SDK async method.

### `result.success` is false after hosted auth
- **Cause**: The hosted session failed, expired, was cancelled, or the SDK could not create the redirect session.
- **Fix**: Check `result.success` before accessing `result.payload`. Do not access `payload` when `success` is false.

### `redirectToStepUp()` returns `success: false`
- **Cause 1**: The member's role has permission `0` (deny) for the given `resource` + `action` in the Console permission matrix.
- **Cause 2**: `resource` or `action` string does not match any key in Console → RBAC → Resources.
- **Fix**: Console → RBAC → Permission Matrix → set the cell for the role × resource × action to `1` (allow) or `2` (allow + step-up). Use `get_resources` via MCP to verify the exact resource key.

### Step-up session verification fails on the backend
- **Cause**: Client is sending `sessionId` directly to Transcodes instead of to its own backend, or the backend is not calling `GET https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sid}` with header `x-transcodes-token`.
- **Fix**: Flow must be: client → own backend (with `sid`) → own backend calls Transcodes API with `x-transcodes-token: <MEMBER_API_TOKEN>`. Never verify step-up on the client side.

---

## JWT / server-side

### JWT verification error: "algorithm not supported" or "invalid signature"
- **Cause**: Using `RS256` / `jwks-rsa` / `jsonwebtoken` instead of `ES256` / `jose` + `public_key.json`.
- **Fix**: Install `jose`. Use `importJWK(PUBLIC_JWK, 'ES256')` + `jwtVerify`. The key comes from `public_key.json` downloaded from Console → Authentication Cluster.

### JWT verification error: "key not found" or "kid mismatch"
- **Cause**: `public_key.json` was regenerated in the Console but the server still uses the old key.
- **Fix**: Download the new `public_key.json` from Console → Authentication Cluster → copy/download. Update `TRANSCODES_PUBLIC_JWK` on the server and redeploy.

### `getAccessToken()` returns `null`
- **Cause**: No active valid stored token — user has not signed in, or the stored token has expired.
- **Fix**: Call `isAuthenticated()` first. If false, call `redirectToSignIn({ redirectUri })`. Never assume a token exists without checking.

### `getCurrentMember()` returns `{ success: false, error: 'unauthenticated' }`
- **Cause**: No active session.
- **Fix**: Establish a session via `redirectToSignIn({ redirectUri })` first.

### `getCurrentMember()` returns `{ success: false, error: 'revoked' }`
- **Cause**: The member account has been suspended in the Console.
- **Fix**: The SDK has already cleared the local session and emitted `MEMBER_REVOKED`; route the user out. If the suspension should be lifted, use Console → Members → find member → lift suspension.

---

## RBAC

### Role names — where do exact strings come from?
- **MCP available**: Call `get_roles` via Transcodes MCP → use the returned role name strings exactly (for Console configuration, permission matrix, and MCP tools).
- **MCP not available**: Console → RBAC → Roles → copy exact names.
- **Never invent** role names.

### `resource` / `action` — where do I get the values?
- **MCP available**: Call `get_resources` via Transcodes MCP → use the returned `resource_key` strings exactly.
- **MCP not available**: Console → RBAC → Resources → copy exact keys. Ask the user which resource + action maps to the sensitive operation.

---

## CSP / network errors

### SDK script blocked by CSP
- **Symptom**: Console error `Refused to load script … because it violates the following Content Security Policy directive`.
- **Fix**: Add `{RESOLVED_TRANSCODES_CDN_BASE}` to `script-src` and `{RESOLVED_TRANSCODES_API_ORIGIN}` to `connect-src`. Hosted auth redirects do not require `frame-src`; if your CSP defines `navigate-to`, include `{RESOLVED_TRANSCODES_AUTH_ORIGIN}` there. Resolve placeholders from the Placeholder Resolution Policy table.

### Transcodes API calls blocked (CORS / network)
- **Cause**: `connect-src` in CSP does not include the Transcodes API domain.
- **Fix**: Add `{RESOLVED_TRANSCODES_API_ORIGIN}` to `connect-src`. The current hosted redirect flow does not fetch from the auth app origin from the host page. Resolve placeholders from the Placeholder Resolution Policy table.

---

## Hosted WebAuthn / Redirect Origins

### `redirectToSignIn()` fails on a secondary origin (preview URL, custom domain, alias)
- **Cause**: The callback origin is not registered in `authentication.related_origins`, so NestJS rejects the hosted sign-in `redirect_uri`.
- **Fix**: Add the full callback origin (with `https://` scheme, or `http://` for localhost) to `authentication.related_origins` in Console -> Authentication -> Related origins. This updates the redirect allow-list; do not generate `/.well-known/webauthn`.

### Step-up opens on `auth.transcodes.io` but WebAuthn fails
- **Cause**: Under the current hosted auth flow, the WebAuthn ceremony runs on the auth app. `authentication.related_origins` is not used by passkey/authenticator verification.
- **Fix**: Do not fix this by adding `https://auth.transcodes.io` to a customer `/.well-known/webauthn` file. Verify the project's `domain_url`, backend auth host configuration, and the passkey/authenticator `rpid` stored for the credential.

<!-- section:troubleshooting:end -->

---

## Documentation Site Map

The full Transcodes documentation is available at https://www.transcodes.io/docs. Below is every page organized by category.

### Introduction
- https://www.transcodes.io/docs/introduction — Overview of Transcodes
- https://www.transcodes.io/docs/introduction/how-it-works — How Transcodes works
- https://www.transcodes.io/docs/introduction/why-transcodes — Why choose Transcodes
- https://www.transcodes.io/docs/introduction/architecture — System architecture

### LLM Context
- https://www.transcodes.io/docs/llm-context — AI/LLM integration context and instructions

### Complete Guide & MCP Server
- https://www.transcodes.io/docs/mcp-server — Complete guideline for setting up projects & MCP server setup for Claude, Cursor, Codex

### Quick Integration
- https://www.transcodes.io/docs/quick-integration — Quick start overview
- https://www.transcodes.io/docs/quick-integration/react — React integration
- https://www.transcodes.io/docs/quick-integration/nextjs — Next.js integration
- https://www.transcodes.io/docs/quick-integration/vue — Vue.js integration
- https://www.transcodes.io/docs/quick-integration/vanilla — Vanilla JS integration

### Demonstrations
- https://www.transcodes.io/docs/demonstration — Demo overview
- https://www.transcodes.io/docs/demonstration/passkey-login — Passkey login flow
- https://www.transcodes.io/docs/demonstration/passkey-login/create-project — Create project
- https://www.transcodes.io/docs/demonstration/passkey-login/import-cdn — Import CDN
- https://www.transcodes.io/docs/demonstration/passkey-login/call-login-modal — Call login modal
- https://www.transcodes.io/docs/demonstration/passkey-login/listen-state — Listen to auth state
- https://www.transcodes.io/docs/demonstration/passkey-login/server-side — Server-side verification
- https://www.transcodes.io/docs/demonstration/passkey-login/console-panel — Console panel
- https://www.transcodes.io/docs/demonstration/stepup-mfa — Step-up MFA flow
- https://www.transcodes.io/docs/demonstration/stepup-mfa/prerequisites — Prerequisites
- https://www.transcodes.io/docs/demonstration/stepup-mfa/import-cdn — Import CDN
- https://www.transcodes.io/docs/demonstration/stepup-mfa/call-mfa-modal — Call MFA modal
- https://www.transcodes.io/docs/demonstration/stepup-mfa/handle-mfa-response — Handle MFA response
- https://www.transcodes.io/docs/demonstration/history-log — History log
- https://www.transcodes.io/docs/demonstration/history-log/step-1-basics — Step 1: Basics
- https://www.transcodes.io/docs/demonstration/history-log/step-2-passkey-events — Step 2: Passkey events
- https://www.transcodes.io/docs/demonstration/history-log/step-3-mfa-events — Step 3: MFA events

### Web App Cluster
- https://www.transcodes.io/docs/web-app-cluster — Overview
- https://www.transcodes.io/docs/web-app-cluster/installation-guide — Installation guide
- https://www.transcodes.io/docs/web-app-cluster/configuration — Configuration
- https://www.transcodes.io/docs/web-app-cluster/app-icons — App icons
- https://www.transcodes.io/docs/web-app-cluster/widget — Widget
- https://www.transcodes.io/docs/web-app-cluster/screenshots — Screenshots
- https://www.transcodes.io/docs/web-app-cluster/cache-strategy — Cache strategy
- https://www.transcodes.io/docs/web-app-cluster/surveillance — Surveillance

### Authentication Cluster
- https://www.transcodes.io/docs/authentication-cluster — Overview
- https://www.transcodes.io/docs/authentication-cluster/installation-guide — Installation guide
- https://www.transcodes.io/docs/authentication-cluster/branding — Branding customization
- https://www.transcodes.io/docs/authentication-cluster/rbac — Role-based access control
- https://www.transcodes.io/docs/authentication-cluster/audit-logs — Audit logs
- https://www.transcodes.io/docs/authentication-cluster/configuration — Configuration
- https://www.transcodes.io/docs/authentication-cluster/step-up-session — Step-up session
- https://www.transcodes.io/docs/authentication-cluster/webhook — Webhook integration
- https://www.transcodes.io/docs/authentication-cluster/backup — Backup methods
- https://www.transcodes.io/docs/authentication-cluster/json-web-key — JSON Web Key
- https://www.transcodes.io/docs/authentication-cluster/api-token — API token (`x-transcodes-token`) for HTTP APIs
- https://www.transcodes.io/docs/authentication-cluster/multi-org — Multi-organization

### API Reference
- https://www.transcodes.io/docs/api-reference — Overview
- https://www.transcodes.io/docs/api-reference/token — Token API
- https://www.transcodes.io/docs/api-reference/member — Member API
- https://www.transcodes.io/docs/api-reference/events — Events API
- https://www.transcodes.io/docs/api-reference/modal — Modal API
- https://www.transcodes.io/docs/api-reference/audit — Audit API
- https://www.transcodes.io/docs/api-reference/init-config — Init & config
- https://www.transcodes.io/docs/api-reference/types — TypeScript types