Skip to Content
DocumentationCommonStep-up AuthStep 2: Web app (SDK)

Step 2: Web app (SDK)

⚡ 3 min read

Call redirectToStepUp before a sensitive action. The SDK asks the backend for an RBAC decision, opens Transcodes Auth in a new tab when needed, polls the session, and resolves in the same page (waiting overlay — no full redirect).

Call step-up

const res = await transcodes.redirectToStepUp({
  resource: 'documents',
  action: 'delete',
  comment: 'Delete invoice #1042',
});
const gate = res.payload[0];
decisionMeaning
allowLevel 1 — proceed immediately
denyLevel 0 — blocked (res.success may still be true; check decision)
stepupLevel 2 — human must complete MFA; then check status

After decision: 'stepup'

Polling runs until status === 'verified' or 'rejected', or the user closes the waiting overlay.

const ok =
  res.success &&
  (gate?.decision === 'allow' ||
    (gate?.decision === 'stepup' && gate?.status === 'verified'));
 
if (ok) {
  await deleteDocument();
}

Do not treat res.success alone as approval. A deny can return success: true with decision: 'deny'.

What the SDK does internally

  1. POST /auth/temp-session/step-up/redirect-session with resource, action, redirectUri
  2. Opens auth URL (tc_mode=stepup) in a new tab
  3. Polls GET …/step-up/session/:sid until verified or rejected
  4. Returns { decision, status, sid, resource, action } to your app

MFA and audit logging on the auth page happen on Transcodes Auth — not in your bundle.

Next: Step 3: AI agent (MCP) · Step 4: Outcome

Last updated on
Step 1: PrerequisitesStep 3: AI agent (MCP)