How It Works

⚡ 5 min read

Transcodes acts as your AI secretary for admin authentication, operations, and management — handling passkey login, step-up verification, RBAC, audit logs, and member management on your behalf. Under the hood, every credential is based on cryptographic proof: your private key never leaves your device, and we only store public keys

Even if Transcodes servers are fully compromised, your credentials remain safe. There is nothing to steal

DPoP: Proof of Possession

Private key generated and stored on device
Public key registered with Transcodes server once
On login: device signs a challenge, server verifies with public key
JWT issued — private key never transmitted

Server Breach? No Problem.

What’s on the server	Attacker gets	Risk
Public keys	Useless without private key	None
Encrypted metadata	Cannot decrypt without key	None

Credential Encryption

Layer	What’s Protected	Encryption
In-Memory	Access tokens	AES-256-GCM
Browser Storage	Private keys	Platform encryption
Server-Side	Server JWT (`x-transcodes-token`), metadata	AES-256 at rest
In Transit	All API communication	TLS 1.3

Access tokens are in memory only—never written to localStorage or cookies, eliminating XSS token theft

Supported Authentication Methods

Method	Use Case	Examples
Passkey (WebAuthn)	Primary login (biometrics)	Face ID, Touch ID, Windows Hello
TOTP	Step-up auth / MFA backup	Google Authenticator, Authy
Hardware Security Key	High-assurance / admin access	YubiKey, Titan Key (FIDO2)
Email	Recovery / backup sign-in	6-digit code to your verified address

Cross-device: QR code-based passkey login (phone → desktop)
Synced passkeys via iCloud Keychain, Google Password Manager, Microsoft account
Email codes are typically used when passkeys or other factors are unavailable (recovery path), not as a day-to-day password replacement

Recovery Process

Register at least two authentication methods (e.g. passkey + YubiKey, passkey + TOTP, or passkey + verified email for recovery codes) for maximum recovery coverage

Next Steps

Why Transcodes Architecture Passkey-first Login

How It Works

⚡ 5 min read

Even if Transcodes servers are fully compromised, your credentials remain safe. There is nothing to steal

DPoP: Proof of Possession

Private key generated and stored on device
Public key registered with Transcodes server once
On login: device signs a challenge, server verifies with public key
JWT issued — private key never transmitted

Server Breach? No Problem.

What’s on the server	Attacker gets	Risk
Public keys	Useless without private key	None
Encrypted metadata	Cannot decrypt without key	None

Credential Encryption

Layer	What’s Protected	Encryption
In-Memory	Access tokens	AES-256-GCM
Browser Storage	Private keys	Platform encryption
Server-Side	Server JWT (`x-transcodes-token`), metadata	AES-256 at rest
In Transit	All API communication	TLS 1.3

Access tokens are in memory only—never written to localStorage or cookies, eliminating XSS token theft

Supported Authentication Methods

Method	Use Case	Examples
Passkey (WebAuthn)	Primary login (biometrics)	Face ID, Touch ID, Windows Hello
TOTP	Step-up auth / MFA backup	Google Authenticator, Authy
Hardware Security Key	High-assurance / admin access	YubiKey, Titan Key (FIDO2)
Email	Recovery / backup sign-in	6-digit code to your verified address

Cross-device: QR code-based passkey login (phone → desktop)
Synced passkeys via iCloud Keychain, Google Password Manager, Microsoft account
Email codes are typically used when passkeys or other factors are unavailable (recovery path), not as a day-to-day password replacement

Recovery Process

Register at least two authentication methods (e.g. passkey + YubiKey, passkey + TOTP, or passkey + verified email for recovery codes) for maximum recovery coverage

Next Steps

Why Transcodes Architecture Passkey-first Login