# Transcodes AI Integration Guide

---

## [Table of Contents]

### Agent directives & rules
- [Global Agent Directives] — security, parameter resolution, video references
- [Global Implementation Rules] — try-catch, loading state, await
- **[Default Integration Method] — CDN static (HTML `<head>`) is the ONLY default. npm SDK is a fallback.**
- [Code Contract] — mandatory rules every code block must satisfy
- [Exhaustive Modal API List] — only 3 modals exist
- [Quick Use Cases] — when to call which modal
- [Common Session Rule] — session requirements per API
- [Blocking Parameter Rule] — stop and ask for resource / action (IDP modal) when unknown
- [Placeholder Resolution Policy] — RESOLVED_* are required inputs, not final values
- [Index & Tags] — keyword → section mapping

### MCP Server Integration
- MCP Server setup — Claude Desktop, Cursor, Codex
- Available MCP tools — members, roles, resources, audit logs, permissions
- Migration Guide — moving existing users and roles to Transcodes

### How It Works & Architecture
- Core security model — WebAuthn, DPoP, browser memory tokens, RP ID binding
- System Context: Disney World Scenario — entity mapping and authentication flow analogy

### Section 1 — PWA Setup (manifest + sw.js) — CDN static
- PWA — HTML + service worker (required, CDN static, `defer`)
- DO NOT list — prohibited actions
- Required wiring (single canonical snippet — `<link rel="manifest">` + `<script defer>` in `<head>`)
  - React (Vite / CRA) / Vue.js — native `<script defer>` in `index.html` `<head>`
  - Next.js App Router — native `<script defer>` in `<head>`, no `next/script`
  - All frameworks — `sw.js` placement rules
- PWA Setup — docs & Console panels
- SDK note — isPwaInstalled()

### Section 2 — Authentication
- Integration Methods (CDN-first)
  - **Option A — HTML / CDN static (DEFAULT, REQUIRED unless explicitly told otherwise)** — `<script defer>` in `<head>`, no `init()`, `transcodes.d.ts` MUST be added
  - Option B — `@bigstrider/transcodes-sdk` (npm) — fallback only when CDN static is impossible; requires `init()`
- CDN vs npm naming comparison table
- TranscodesInitOptions (npm fallback only)
- Dynamic SDK utility methods — isInitialized, setConfig, getBuildInfo

### Core APIs
- Framework Integration: Must-Know — focus trap, composedPath, updateComplete, CSS isolation
- 1. openAuthLoginModal — login, signup, session restore
- 2. openAuthConsoleModal — passkey / TOTP / name / email self-service (passwordless)
- 3. openAuthIdpModal — step-up MFA, RBAC resource+action
- 5. Token API — getCurrentMember (→ GetCurrentMemberResult), getAccessToken, hasToken, isAuthenticated, signOut
- 6. Member API — getMember (fresh from API)
- 7. Events API — AUTH_STATE_CHANGED, TOKEN_REFRESHED, TOKEN_EXPIRED, ERROR, MEMBER_REVOKED (admin-side suspension / revocation)
- 8. trackUserAction — audit logs

### Type definitions & patterns
- Type Definitions — Member, ApiResponse, IdpAuthResponse, TokenAPI, GetCurrentMemberResult, GetCurrentMemberFailureReason
- Framework setup (quick reference) — CDN static first for every framework (React+Vite, Next.js, Vue3); npm variant after, fallback only
- **Framework-specific access pattern (CSR vs SSR)** — when `transcodes.*` is safe vs when you must guard with `typeof window !== 'undefined' && window.transcodes` (Next.js / Remix / Astro / SvelteKit pitfall)
- Quick start example (CDN static — DEFAULT)
- **CDN TypeScript setup — MANDATORY** — fetch `https://www.transcodes.io/instructions/types` → save as `transcodes.d.ts` → wire `tsconfig.json`
- React AuthContext pattern
- Quick start example (`@bigstrider/transcodes-sdk` — React) — npm fallback
- Step-up MFA example (CDN static — DEFAULT)

### Server & infrastructure
- Server-side JWT verification — public_key.json, jose, ES256
  - Node.js / Next.js (jose)
  - Python (PyJWT)
- CSP (Content Security Policy)

### Reference
- Release Checklist
- .transcodes Integration Record — create after setup, read before modifying
- Browser support
- Scope: Transcodes vs Your App + frontend security recommendations
- Links — docs, Console, CDN
- Video Tutorials

### Troubleshooting
- PWA / sw.js — GET 404, install prompt never appears, manifest 404
- SDK loading (CDN) — window.transcodes undefined, TypeScript errors, init() conflict
- SSR `ReferenceError` — `transcodes is not defined` / `window is not defined` on Next.js / Remix / Astro / SvelteKit (TypeScript will not catch this)
- Authentication modals — modal not opening, result.success false, resource / action errors
- JWT / server-side — algorithm errors, kid mismatch, getAccessToken null, getCurrentMember errors
- RBAC — resource/action resolution (Console + MCP)
- CSP / network — script blocked, CORS errors
- General checklist — 10-point sanity check

---

## CRITICAL AGENT DIRECTIVES 

<critical_rules>

> **READ THIS BEFORE GENERATING ANY CODE.**
> You are an AI implementation assistant for Transcodes — an AI secretary that helps teams handle admin authentication, operations, and management (passkey login, RBAC, step-up auth, audit logs, member management).
> **You MUST strictly adhere to the following rules.**

### 1. Integration Method Rule (CDN Static is the ONLY Default)
- **ALWAYS default to CDN static integration. Use npm sdk library only if the user explicitly requests it or confirms they cannot use the CDN method**
- **NEVER** use the npm SDK (`@bigstrider/transcodes-sdk`) unless the user explicitly requests it or confirms they cannot use the CDN method.
- **NEVER** call `init()` on the CDN static path.
- **REQUIRED HTML:** Add `<link rel="manifest">` and `<script src=".../webworker.js" defer></script>` to the `<head>`.
- **REQUIRED ATTRIBUTE:** The script tag **MUST** use `defer`. Do NOT use `type="module"`, `crossorigin`, or `async`.

### 2. TypeScript Rule (Mandatory for CDN Static)
- **`transcodes.d.ts` is MANDATORY** for any TypeScript project using the CDN static method.
- **DO NOT ASSUME IT EXISTS.** Verify its existence. If missing, you MUST create it by fetching from `https://www.transcodes.io/instructions/types`.
- **`tsconfig.json` MUST BE UPDATED.** You MUST add the directory containing `transcodes.d.ts` to **BOTH** `include` AND `typeRoots`. Skipping this will cause a compile error.

### 3. Framework Access Pattern Rule (CSR vs SSR)
- **CSR (Vite, CRA, Vue SPA):** Use the bare `transcodes.*` global everywhere.
- **SSR/RSC (Next.js, Remix, Astro, SvelteKit):** You **MUST** guard SDK calls. Calling `transcodes.*` at the module top-level or in server renders will throw a `ReferenceError`.
  - **Rule:** Only call `transcodes.*` inside browser-only paths (`useEffect`, event handlers) OR guard it with `if (typeof window !== 'undefined' && window.transcodes)`.

### 4. Code Contract Rule (Duplicate, see Rule 7)
- **ALWAYS** wrap API invocations in a `try-catch` block.
- **ALWAYS** use `await` for async SDK methods.

### 5. Parameter Resolution Rule
- If a required parameter (like `projectId`, `resource`, or `action`) is missing, **STOP AND ASK** the user. Do NOT hallucinate or guess security parameters.
- If Transcodes MCP is available, use it to resolve resources/roles first.

---

### [Default Integration Method — CDN STATIC IS THE ONLY DEFAULT]

1. **Always default to CDN static integration.** Add two tags to the HTML `<head>` and create one `public/sw.js`:

   ```html
   <head>
     <link rel="manifest" href="https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/manifest.json" />
     <script src="https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/webworker.js" defer></script>
   </head>
   ```

   ```javascript
   // public/sw.js — entire file, one line
   importScripts('https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/sw.js');
   ```

2. **The script tag MUST use `defer`.** Do NOT use `type="module"`. Do NOT add `crossorigin` / `crossOrigin`. Do NOT use `async`. Do NOT use Next.js `<Script>` / framework loaders. Plain `<script src="…" defer></script>` only.

3. **CDN static REQUIRES `transcodes.d.ts` for any TypeScript project. Skipping any sub-step here is a compile error.** This is a strict 3-step procedure — execute it as a sequence, do not assume any step is already done:

   **Step 3a — Check if `transcodes.d.ts` exists in the repo** (e.g. `types/transcodes.d.ts`, `src/types/transcodes.d.ts`, or anywhere on the `tsconfig.json` `include` path).
   - **If the file is MISSING → you MUST create it** by fetching from `https://www.transcodes.io/instructions/types` (or download/copy the same file from the Transcodes Console). Do not skip this step because the file "should be there" — verify, then create if absent:
     ```bash
     mkdir -p types
     curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
     ```
   - **If the file EXISTS → still confirm it is up-to-date** by re-running `curl` (or comparing the version comment).

   **Step 3b — TypeScript projects MUST update `tsconfig.json`** so the compiler picks up the file. **Without this edit, every `transcodes.*` (or `window.transcodes.*`) call site will throw a TypeScript compile error** (`Cannot find name 'transcodes'` for the bare form, or `Property 'transcodes' does not exist on type 'Window & typeof globalThis'` for the explicit form). Add the directory containing `transcodes.d.ts` to **both** `include` AND `typeRoots`:
     ```jsonc
     {
       "compilerOptions": {
         "typeRoots": ["./node_modules/@types", "./types"]
       },
       "include": ["src", "types"]
     }
     ```

   **Step 3c — Verify by running `tsc --noEmit`** (or your framework's type-check command). If `window.transcodes` is still untyped, `tsconfig.json` was not edited correctly — go back to Step 3b.

   For non-TypeScript (plain JS) projects you can skip Step 3b/3c, but Step 3a is still recommended so editors can offer autocomplete via JSDoc.

4. **Do NOT call `init()` on the CDN static path.** `webworker.js` bootstraps `window.transcodes` automatically — `projectId` is encoded in the URL.

5. **Do NOT install `@bigstrider/transcodes-sdk` by default.** The npm SDK is a **fallback only** for the rare case where CDN static is impossible. Before falling back, ASK the user explicitly:
   > "I default to CDN static integration (`<script defer>` in `<head>` + `transcodes.d.ts`). Do you have a reason that requires the npm SDK (`@bigstrider/transcodes-sdk`) instead?"
   Do not silently choose npm.

6. **All later code in this document — Quick start, Framework setup, Step-up examples — assumes CDN static unless explicitly labelled as npm.**

7. **Modal & SDK call syntax — CDN static is the default; access everything through the `transcodes` global.** `transcodes.d.ts` declares `var transcodes: Window['transcodes']`, so the bare `transcodes.*` form (preferred) and the explicit `window.transcodes.*` form are equivalent at runtime and both type-check.

   **Framework rule (CSR vs SSR):**
   - **Vite / CRA / pure SPA (no SSR)** — use bare `transcodes.*` everywhere. Both forms work; the bare form is shorter.
   - **Next.js (App Router & Pages) / Remix / Astro / SvelteKit (any framework with an SSR or RSC pass)** — bare `transcodes.*` is safe **only inside browser-only code paths** (`useEffect`, `useLayoutEffect`, event handlers, post-mount logic). For module top-level, RSC bodies, server loaders, or `getServerSideProps` / `getStaticProps`, **either form throws `ReferenceError` at runtime** (the type system will not catch this — `.d.ts` declares the global as always-present). Guard with `typeof window !== 'undefined' && window.transcodes` before any module-level access.

   See **Framework-specific access pattern** below for the full per-framework matrix and idiomatic SSR-safe patterns. **Always pick the access form based on the user's framework, not by default.** Reserve `window.transcodes` for the feature-detection guard; use bare `transcodes.*` for the actual calls inside browser-only scopes.

   Do **not** emit bare imports like `import { openAuthLoginModal } from '@bigstrider/transcodes-sdk'` unless the user has confirmed Option B (npm fallback). The exact mapping:

   | Operation                  | CDN static (DEFAULT)                                                | npm fallback (only after user confirms)                                          |
   | -------------------------- | ------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
   | Login modal                | `await transcodes.openAuthLoginModal({})`                           | `import { openAuthLoginModal }` then `await openAuthLoginModal({})`              |
   | Member self-service        | `await transcodes.openAuthConsoleModal()`                           | `import { openAuthConsoleModal }` then `await openAuthConsoleModal()`            |
   | Step-up MFA                | `await transcodes.openAuthIdpModal({ resource, action })`           | `import { openAuthIdpModal }` then `await openAuthIdpModal({ resource, action })` |
   | Is authenticated?          | `await transcodes.token.isAuthenticated()`                          | `import { isAuthenticated }` then `await isAuthenticated()`                      |
   | Current member             | `await transcodes.token.getCurrentMember()`                         | `import { getCurrentMember }` then `await getCurrentMember()`                    |
   | Access token (for fetch)   | `await transcodes.token.getAccessToken()`                           | `import { getAccessToken }` then `await getAccessToken()`                        |
   | Sign out                   | `await transcodes.token.signOut()`                                  | `import { signOut }` then `await signOut()`                                      |
   | Member lookup              | `await transcodes.member.get({ email })`                            | `import { getMember }` then `await getMember({ email })`                         |
   | Subscribe to events        | `transcodes.on('TOKEN_EXPIRED', cb)`                                | `import { on }` then `on('TOKEN_EXPIRED', cb)`                                   |
   | Audit log                  | `await transcodes.trackUserAction({ tag, severity, status })`       | `import { trackUserAction }` then `await trackUserAction({ ... })`               |
   | PWA install state          | `transcodes.isPwaInstalled()`                                       | `import { isPwaInstalled }` then `isPwaInstalled()`                              |

   When generating any client-side example (handler, hook, context, button click, route guard, MFA-protected action…), generate the **left column form first**. The right column appears only when explicitly tagged "npm fallback".

### 4. Parameter Resolution Rule
- If a required parameter (like `projectId`, `resource`, or `action`) is missing, **STOP AND ASK** the user. Do NOT hallucinate or guess security parameters.
- If Transcodes MCP is available, use it to resolve resources/roles first.

### 5. Troubleshooting Rule
- If you encounter a TypeScript error (`Cannot find name 'transcodes'`) or a `ReferenceError` (`transcodes is not defined`), **IMMEDIATELY consult the Troubleshooting section** at the bottom of this document.

### 6. Code Contract Rule
- **ALWAYS** wrap API invocations in a `try-catch` block.
- **ALWAYS** use `await` for async SDK methods (e.g., `isAuthenticated()`, modal APIs).
- **ALWAYS** check `result.success` before reading `result.payload`.
- **ALWAYS** implement `isLoading` states during async calls.
- **For `openAuthIdpModal`**, first check outer `ApiResponse.success`, then check `result.payload[0]?.success`, then read `result.payload[0].sid`.
- **For `getCurrentMember` / `token.getCurrentMember()`**, the return type is `GetCurrentMemberResult` (`{ success, member, error? }`) — not `Member | null`. Branch on `success` before using `member`.
- **Verify step-up session server-side** through `GET https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sid}` with header `x-transcodes-token: <AUTH_API_TOKEN>`.

</critical_rules>

### [Exhaustive Modal API List — only these three exist]
1. `openAuthLoginModal({ webhookNotification? })` — login & signup
2. `openAuthConsoleModal()` — member self-service
3. `openAuthIdpModal({ resource, action, forceStepUp?, webhookNotification? })` — step-up MFA

**Admin / org management (members, roles, resources, audit logs)** is **not** a browser modal — use the **Transcodes MCP server** (`@bigstrider/transcodes-mcp-server`) from your AI tool’s config.

### [Quick Use Cases]
- `openAuthLoginModal({ webhookNotification? })`
  - Use when the user needs to sign in, onboard, or restore a session after expiry
- `openAuthConsoleModal()`
  - Use when the current member needs to register, remove, or change authentication methods such as passkey, authenticator, or TOTP
  - Use when the current member needs to update their own profile fields such as name or primary email
- `openAuthIdpModal({ resource, action, forceStepUp?, webhookNotification? })`
  - Use before truly sensitive, risky, or critical actions
  - Use when you must stop AI or automation from executing a dangerous action by itself
  - The action only proceeds after the user re-verifies identity with passkey, authenticator, or TOTP
- `trackUserAction(event, options?)`
  - Use when an action, behavior, or result must be recorded as an audit log
  - Use for compliance logging and for tracking both success and failure of important actions

Example literals in this section and later code blocks are examples only. Final implementations must use values confirmed by the user, codebase, or MCP.

### [Common Session Rule]
- `openAuthLoginModal()` creates or restores a member session.
- `openAuthConsoleModal()` and `openAuthIdpModal()` should be treated as authenticated-only flows.
- `trackUserAction()` does **not** always require an existing session.
- Use `trackUserAction(..., { requireAuth: true })` only when the audit log must be tied to the current signed-in member.

### [Blocking Parameter Rule — ask before coding]
For these APIs, missing required business parameters are a **hard stop**:

- `openAuthIdpModal({ resource, action })`
  - First try MCP / Console discovery:
    - resources via `get_resources`
  - If `resource` or `action` still cannot be inferred from the codebase, MCP, or explicit user input, **ask the user exactly one blocking question** and **do not output implementation code yet**.
  - Never invent fallback values such as `{ resource: 'users', action: 'delete' }` unless the protected action was confirmed by MCP or the user.

Rule for documentation examples:
- Example values in this file are illustrative only.
- Do not copy example literals into final code unless the user, codebase, or MCP confirms them.

### [Placeholder Resolution Policy — placeholders are REQUIRED inputs, not final values]
This document contains documentation placeholders such as:
- `RESOLVED_PROJECT_ID`
- `RESOLVED_JWT_ISSUER`
- `RESOLVED_AUTH_API_TOKEN` (server-only JWT issued from the Console; sent as `x-transcodes-token` when calling Transcodes APIs from the backend)

These placeholders mean **the AI must resolve the real value before outputting final code**.

Resolution order:
1. Search the codebase / env / config for the real value
2. If available, use MCP / Console data
3. If still unknown, ask the user once

**Never ship final code with unresolved placeholders.** Placeholders in this document are only markers for values that must be filled before implementation.

## [Index & Tags]
- **Authentication/Login**: `openAuthLoginModal` (#signin, #signup, #onboarding, #session)
- **Account Management**: `openAuthConsoleModal` (#profile, #settings, #passkey, #self-service)
- **Admin/RBAC / directory**: Transcodes MCP server — `get_roles`, `get_resources`, member tools (#management, #invitation, #directory, #roles)
- **Security/MFA**: `openAuthIdpModal` (#mfa, #step-up, #high-risk, #sensitive)
- **Session/JWT**: `Token API` (#jwt, #bearer, #route-guard, #signout)
- **User Data**: `Member API` (#profile-refresh, #role-verification)
- **Real-time State**: `Events API` (#state-sync, #auto-logout, #monitoring)
- **Compliance**: `trackUserAction` (#audit, #logging, #tracking)
- **MCP Server**: `@bigstrider/transcodes-mcp-server` (#mcp, #ai-integration, #claude, #cursor, #codex)

**MUST — first step:** Before writing or changing any integration code, **you must discover the real Transcodes Project ID** (`projectId`) yourself (search the codebase, env/config, and [Console](https://app.transcodes.io) as appropriate — **do not** paste a laundry list of variable names; infer what this project uses). If you still cannot find it, **ask the user once**, then **insert that id everywhere** it belongs: CDN URLs (`https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/...` or your env's `CDN_BASE`), the HTML `<script src=".../webworker.js" defer>` tag in `<head>`, and (for the **npm fallback only**) `init({ projectId })`. **The default CDN static path does not use `init()`** — `webworker.js` bootstraps `window.transcodes` automatically when the deferred script runs. **The placeholders in this document are not shippable values** — they are required inputs that must be resolved before final code output.

Base URL: https://www.transcodes.io
Dashboard: https://app.transcodes.io  
CDN pattern: `https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/webworker.js` (resolve the real project ID before final code output)

Quick split:
- **Web App Kit** = PWA install flow (`manifest.json`, `webworker.js`, `sw.js`)
- **Authentication Kit** = login, step-up MFA, member console, JWT (org admin via MCP, not a modal)

**Prerequisite:** The project must have Auth and PWA configurations saved in the [Transcodes Console](https://app.transcodes.io).

---

# Section 1 — PWA Setup

Use this section only for installable PWA setup.

## PWA — HTML + service worker (required)

### DO NOT:
- Do NOT create a local `manifest.json` or `manifest.ts` or `metadata.ts` for PWA
- Do NOT download or copy `webworker.js` content into a local file
- Do NOT create a local `manifest.webmanifest` file
- Do NOT generate PWA icon files locally
- Do NOT use `type="module"` on the `webworker.js` `<script>` tag — **use plain `<script src="…" defer></script>`**
- Do NOT add `crossorigin` / `crossOrigin` to the `webworker.js` `<script>` tag
- Do NOT use `async` on the `webworker.js` `<script>` tag — only `defer`
- Do NOT load `webworker.js` with Next.js `<Script>` or any framework loader — use a **native** `<script defer>` in `<head>`
- All PWA assets (`manifest.json`, `webworker.js`, icons) are hosted on Transcodes CDN and must be referenced by URL only

### Required wiring

The PWA install path needs **two tags in the HTML `<head>`** and **one `public/sw.js` file** at the site root. Nothing else. **`@bigstrider/transcodes-sdk` is NOT required** — CDN static is the default for both PWA and Auth.

**Use a native `<script defer>` tag** for `webworker.js` — not Next.js `<Script>`, not a framework loader. Same rule for React SPA (Vite/CRA) and Next.js: a real `<script src="…" defer></script>` in `<head>`. **No `type="module"`. No `crossorigin`.**

**CDN host:** Production typically uses `https://cdn.transcodes.link`. Some environments use `https://dev.transcodes.link` — resolve `CDN_BASE` from Console / env (e.g. `NEXT_PUBLIC_TRANSCODES_CDN_BASE`).

**TypeScript (CDN) — MANDATORY (3 strict steps):**
1. **Verify `transcodes.d.ts` exists** in the repo. If it is MISSING, create it now from `https://www.transcodes.io/instructions/types` (do not skip — the file will not appear by itself):
   ```bash
   mkdir -p types && curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
   ```
2. **Edit `tsconfig.json`** — add the directory to **both** `include` and `typeRoots`. **Without this edit, every `transcodes.*` call site is a TypeScript compile error** (`Cannot find name 'transcodes'`).
3. **Run `npx tsc --noEmit`** to confirm no type errors remain.

See **CDN TypeScript setup** for the full procedure and the exact `tsconfig.json` snippet. **Do not** call `init()` on the CDN static path.

#### React (Vite / CRA) / Vue.js

Add to `index.html` `<head>`, then create `public/sw.js`:
```html
<head>
  <link rel="manifest" href="https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/manifest.json" />
  <script src="https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/webworker.js" defer></script>
</head>
```

`public/sw.js` (entire file — one line):
```javascript
importScripts('https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/sw.js');
```

#### Next.js App Router

Use a **native `<script defer>` inside `<head>`** — do not use Next.js `next/script` for `webworker.js`. Do NOT create `metadata.ts`, `manifest.ts` files:
```tsx
export default function RootLayout({ children }: { children: React.ReactNode }) {
  const projectId = process.env.NEXT_PUBLIC_TRANSCODES_PROJECT_ID!;
  const cdnBase = process.env.NEXT_PUBLIC_TRANSCODES_CDN_BASE ?? 'https://cdn.transcodes.link';
  return (
    <html lang="en" suppressHydrationWarning>
      <head>
        <link rel="manifest" href={`${cdnBase}/${projectId}/manifest.json`} />
        <script src={`${cdnBase}/${projectId}/webworker.js`} defer />
      </head>
      <body>{children}</body>
    </html>
  );
}
```

**Note:** The script tag is the same in HTML and JSX — plain `<script src="…" defer>`. **Never** add `type="module"`, `crossorigin`, or `crossOrigin`. Place the tag inside `<head>` in Next.js, React SPA, and every other framework.

`public/sw.js` (entire file — one line):
```javascript
importScripts('https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/sw.js');
```

#### All frameworks

- `sw.js` must be served at the URL path `/sw.js`. Place it in the static/public folder that your framework maps to the site root.
- Do NOT write service worker logic yourself — the single `importScripts` line is the entire file.
- Alternative: download `sw.js` from [Transcodes Console](https://app.transcodes.io) → PWA Setup → Installation Guide.



### PWA Setup — docs & Console panels

- [Installation Guide](https://www.transcodes.io/docs/web-app-cluster/installation-guide)
- [Configuration](https://www.transcodes.io/docs/web-app-cluster/configuration) — app name, short name, web domain URL, scope, service worker path, display mode, orientation, theme colors, shortcuts (long-press icon)
- [App Icons](https://www.transcodes.io/docs/web-app-cluster/app-icons) — upload base icon; manifest sizes generated automatically

### SDK note

`isPwaInstalled()` (sync, `@bigstrider/transcodes-sdk`) reflects install state; **installability** still requires this Section 1 HTML + `sw.js` wiring.

---

# MCP Server Integration

Connect the Transcodes MCP server to AI tools (Claude, Cursor, Codex) so the AI can manage your project's members, roles, resources, and audit logs directly.

## Setup

**Package:** `@bigstrider/transcodes-mcp-server` (runs via `npx`)

**Config JSON** (used by Claude Desktop and Cursor):
```json
{
  "mcpServers": {
    "transcodes": {
      "command": "npx",
      "args": ["-y", "@bigstrider/transcodes-mcp-server"],
      "env": {
        "TRANSCODES_TOKEN": "tc_live_..."
      }
    }
  }
}
```

| Tool | Config file path |
| :--- | :--- |
| Claude Desktop (macOS) | `~/Library/Application Support/Claude/claude_desktop_config.json` |
| Claude Desktop (Windows) | `%APPDATA%\Claude\claude_desktop_config.json` |
| Cursor | `~/.cursor/mcp.json` |
| Codex | `codex mcp add transcodes-mcp --env TRANSCODES_TOKEN=JWT_FORMAT... -- npx -y @bigstrider/transcodes-mcp-server` (or set `TRANSCODES_TOKEN` in the MCP UI) |

**Env:** `TRANSCODES_TOKEN` = Transcodes JWT token (`JWT_FORMAT...`) from the Console. **Project and member context are embedded in the token** — no separate API key / project ID / email variables for MCP. After changing env, restart the MCP host app so the server reloads.

## What the MCP server can do

| Category | Actions |
| :--- | :--- |
| Members | List, create, update, suspend, unsuspend, change role |
| Roles | List, create, update, set per-resource permissions |
| Resources | List, create, update |
| Permissions | Simulate RBAC check (check_rbac_permission) |
| Audit Logs | Query by date range, tag, member |
| Passkeys / TOTP | List devices per member |
| Project | Get project details, membership status |

## Example prompt

After connecting, type a prompt like:

```
Implement login with magic link, passkey, and TOTP,
add step-up authentication for sensitive actions,
track and store user activity logs with details like
timestamp, IP, and user agent, and include a personal
console where users can manage their authentication
methods and review their activity history
```

Docs: [MCP Server Setup](https://www.transcodes.io/docs/mcp-server)

---

# Section 2 — Admin Authentication, Operations & Management

Everything below covers **authentication, tokens, modals, JWT verification, CSP, and passkey/WebAuthn** — what your Transcodes secretary handles on your behalf. For **PWA** (manifest + `sw.js`), use **Section 1**.

### Integration Option A — HTML / CDN

Your Transcodes secretary handles:
- Passkey-first login (Face ID, Touch ID, hardware keys)
- Step-up MFA for sensitive and high-risk actions
- Member management + RBAC
- Tamper-proof audit logs
- JWT issuance

## Migration Guide (Moving to Transcodes)

When a client wants to migrate an existing project and user base to Transcodes, follow this strict sequence. Transcodes is a passwordless, passkey-first system with strict RBAC, so legacy credentials cannot be imported.

### Phase 1: Console Setup
1. Go to the [Transcodes Console](https://app.transcodes.io).
2. Create and configure the **Web App Cluster**, **Authentication Cluster**, and **PWA Cluster**.
3. Save all configurations to generate the Project ID.

### Phase 2: MCP Server Configuration
1. In the Console, generate a Management Access Token (MAT).
2. Configure your AI agent's MCP settings to use `@bigstrider/transcodes-mcp-server` with this token. This grants the agent the necessary permissions to run migration commands.

### Phase 3: Data Migration via MCP
Request the client's existing data (e.g., as CSV or JSON files).

**What to request:**
- `resources.csv` (key, name, description)
- `roles.csv` (name, description)
- `permissions.csv` (role_name, resource_key, action, value: 0=deny, 1=allow, 2=allow+step-up)
- `members.csv` (email, name, role, legacy_user_id)

**What NOT to migrate (DO NOT ASK FOR THESE):**
- Plaintext or hashed passwords (Transcodes is passwordless).
- JWTs or legacy session tokens.
- TOTP secrets or existing Passkey/WebAuthn credentials (they are cryptographically bound to the old domain/RP ID).
*Migration UX:* Existing users will log in via Magic Link (Email OTP) on their first visit and register a new Passkey. No passwords needed.

**Import Order (CRITICAL):**
You MUST execute MCP tools in this exact order. Reverse order causes "not found" errors.
1. `create_resource` for each resource.
2. `create_role` for each role.
3. `set_role_permissions` for each role. *(Note: This is a Verified Action requiring Step-up MFA. The admin approves it once on their device, and the resulting `sid` is valid for 10 minutes, allowing you to batch-process the rest).*
4. `create_member` for each user.
   - **Pro Tip:** Always map the client's old database ID to the `metadata` field (e.g., `metadata: { legacy_user_id: "12345" }`). This ensures the client's backend can still link the new Transcodes `member_id` to their existing records.

**Fallback Strategy (Missing or Incomplete Data):**
- **Only emails provided (no RBAC):** Ask for existing roles. If unknown, create a default role (`name: "member"`) and assign it to all users. Advise configuring permissions later in the Console.
- **No files at all (small migration):** Ask the client to paste their user list (emails/names) directly into the chat. Loop through the text using `create_member`.
- **No files at all (large migration):** Ask the client to run a simple SQL query (e.g., `SELECT email, name, role FROM users`) and provide the output as text or CSV.

---

## How It Works & Architecture

Core security model:
1. Device-held keys via WebAuthn / DPoP
2. Access tokens managed in browser memory
3. Credentials bound to your RP ID
4. Server verifies JWTs and step-up sessions

Docs: [How It Works](https://www.transcodes.io/docs/introduction/how-it-works) · [Architecture & Security](https://www.transcodes.io/docs/introduction/architecture)

### System Context: Disney World Authentication & Authorization Scenario

Scenario Overview:
James is a registered Member holding an annual pass to Disney World (Project), which is overseen by the Disney Corporate Office (Organization). Today, he visits the park and needs to authenticate himself to gain access.

1. Identity Verification (Authentication & Attestation)
James heads to the Ticket Booth (Transcodes Gateway) to receive his daily admission pass. To prove his membership status, he presents his Personal ID (Attestation Private Key) to the staff. The system securely verifies his identity by matching the ID against his pre-registered Member Profile (Public Key).

2. Ticket Issuance and Security (Token & AES Encryption)
Upon successful verification, the gateway issues James an Admission Ticket (Token). To ensure that the ticket cannot be intercepted, stolen, or duplicated by a malicious third party, it is secured with specialized Anti-Counterfeit Technology (AES Key).

3. Expiration and Revocation (Token Expiration Time)
If James's ticket reaches the end of its Validity Period (Token Expiration Time), or if his underlying membership is suddenly revoked while he is inside the park, the ticket is immediately invalidated on the spot. Simultaneously, any temporary verification data (Signature, Attestation) held by the park's system is permanently destroyed, and James is required to exit the premises.

Entity Mapping Table (For LLM Grounding):

| Transcodes Concept | Analogy | Description |
| :--- | :--- | :--- |
| Organization | Walt Disney Corporate | The governing entity |
| Project | Disney World | The specific service/environment |
| User | Disney World Facility Manager | System Admin |
| Member | James | The end-user holding an annual pass |
| Attestation Key | Personal ID | Proof of membership |
| Transcodes Gateway | Ticket Booth / Entrance Gate | The authenticator |
| Token | Admission Ticket | The access grant |
| AES Key | Anti-Counterfeit Technology | Encryption to prevent theft/tampering |
| Token Expiration Time | Ticket Validity Period | TTL for the session |

---

## Integration Methods (CDN-first)

**Default to Option A. Use Option B only when CDN static is impossible AND the user has explicitly confirmed.**

### Option A — HTML / CDN static (DEFAULT — REQUIRED unless explicitly told otherwise)

This is the **only** path you should generate by default. Add **one `<script defer>` to `<head>`** — Transcodes does not inject anything for you.

- **No `init()` call.** `webworker.js` bootstraps the SDK automatically; `projectId` is encoded in the CDN URL.
- **`<script>` attributes:** `src` + `defer`. **Nothing else.** No `type="module"`, no `crossorigin`, no `async`.
- **TypeScript is MANDATORY for CDN static.** Fetch `https://www.transcodes.io/instructions/types`, save as `transcodes.d.ts`, wire `tsconfig.json` — see **CDN TypeScript setup**. Without it, `window.transcodes` is untyped.

```html
<!-- Authentication only (passkeys + step-up MFA). For PWA, add the <link rel="manifest"> + sw.js per Section 1. -->
<head>
  <script src="https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/webworker.js" defer></script>
</head>
```

After the deferred script runs, all APIs are available via `window.transcodes` (or just `transcodes`).

**Why this is the default:** No bundler config, no `init()` race conditions, no SSR pitfalls, no extra dependency, single source of truth (the CDN URL), instant SDK updates without redeploying your app.

### Option B — `@bigstrider/transcodes-sdk` (npm) — FALLBACK ONLY

**Do not pick this unless the user explicitly asks for it.** Before generating npm code, ASK once:

> "I default to CDN static (`<script defer>` + `transcodes.d.ts`). Do you have a hard requirement that needs the npm SDK (`@bigstrider/transcodes-sdk`) — e.g. no controllable HTML `<head>`, strict bundler-only environment?"

If the user confirms, install the npm package and call `init()` once on the client:

```bash
npm install @bigstrider/transcodes-sdk
```

```typescript
import { init } from '@bigstrider/transcodes-sdk';

// Client entry only (e.g. main.tsx, providers.tsx with 'use client')
await init({ projectId: 'RESOLVED_PROJECT_ID' });
// Optional: await init({ projectId: '...', customUserId: 'uid_xxx', debug: true });
```

Then use **named exports** instead of `window.transcodes`:

```typescript
import {
  init,               // await init({ projectId, customUserId?, debug? })
  openAuthLoginModal, // await openAuthLoginModal({ webhookNotification? })
  openAuthConsoleModal, // await openAuthConsoleModal()
  openAuthIdpModal,   // await openAuthIdpModal({ resource, action })
  isAuthenticated,    // await isAuthenticated() → boolean  (ASYNC!)
  getCurrentMember,   // await getCurrentMember() → Promise<GetCurrentMemberResult> { success, member, error? }
  getAccessToken,     // await getAccessToken() → string | null
  hasToken,           // hasToken() → boolean  (SYNC)
  signOut,            // await signOut({ webhookNotification? })
  getMember,          // await getMember({ email?, memberId? }) → ApiResponse<Member[]>
  on, off,            // on('AUTH_STATE_CHANGED', cb) → unsubscribeFn
  trackUserAction,    // await trackUserAction({ tag, severity?, ... }, opts?)
  isPwaInstalled,     // isPwaInstalled() → boolean  (SYNC)
} from '@bigstrider/transcodes-sdk';
```

**CDN static (default) vs `@bigstrider/transcodes-sdk` (fallback) — naming map:**

The **left column is the default**. Only generate code from the right column when the user has confirmed Option B.

| Action                 | CDN static (DEFAULT — `transcodes` global)  | @bigstrider/transcodes-sdk (FALLBACK — named export) |
| ---------------------- | ------------------------------------- | ------------------------ |
| Init                   | **Do not call `init()`** — not required | `init({ projectId })` (required on client) |
| Login modal            | `transcodes.openAuthLoginModal({})`   | `openAuthLoginModal({})` |
| Is authenticated?      | `transcodes.token.isAuthenticated()`  | `isAuthenticated()`      |
| Get current member     | `transcodes.token.getCurrentMember()` → `GetCurrentMemberResult` | `getCurrentMember()` — same; check `success` then `member` |
| Get access token       | `transcodes.token.getAccessToken()`   | `getAccessToken()`       |
| Sign out               | `transcodes.token.signOut()`          | `signOut()`              |
| Lookup member          | `transcodes.member.get({ email })`    | `getMember({ email })`   |
| Subscribe to events    | `transcodes.on('EVENT', cb)`          | `on('EVENT', cb)`        |

---

## TranscodesInitOptions (@bigstrider/transcodes-sdk only)

```typescript
interface TranscodesInitOptions {
  projectId: string;      // Required — from Transcodes Console
  customUserId?: string;  // Optional — associate with your own user ID
  debug?: boolean;        // Optional — enable debug logging
}
```

---

## Dynamic SDK utility methods (CDN and @bigstrider/transcodes-sdk)

```typescript
// Check if SDK is already initialized (avoid double-init)
transcodes.isInitialized(): boolean

// Update config at runtime (e.g. set memberId after login)
transcodes.setConfig({ memberId?: string }): void

// Build info for debugging
transcodes.getBuildInfo(): { buildTimestamp: string }
```

```javascript
// CDN path: do NOT call transcodes.init() — webworker.js initializes the SDK from the URL.
// npm path: use init({ projectId }) once at client entry (see Integration Option B).

// Optional — link your own member ID after login (CDN or npm)
transcodes.setConfig({ memberId: 'your_internal_user_id' });
```

---

## 1. Core API: openAuthLoginModal (Login & Signup)

### Usage
- Showing sign in / sign up
- Restoring session after expiry
- Guarding protected routes

### [Parameters]
| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| webhookNotification | boolean | N | Send Slack webhook on login. Default: false |
| projectId | string | N | Optional if inferred. |

### [Agent Instructions: Implementation Logic]
- **Mandatory Check**: Always check `result.success` before processing the payload.
- **Token Extraction**: Extract the JWT token and member object from `result.payload[0]`.
- **State Update**: After a successful login, update the application's authentication state using the returned `member` data.

### [Framework Integration: Must-Know]

All four Transcodes modals are Web Components rendered inside Shadow DOM. When calling them from any framework (React, Vue, Angular, etc.) combined with UI component libraries, apply these rules:

1. **Close parent overlays before opening a modal.** If the trigger button is inside a dropdown, popover, drawer, or dialog, close it first. These components implement focus traps that block Shadow DOM elements from receiving keyboard input.
```typescript
const handleOpenLogin = async () => {
  setMenuOpen(false); // close the parent dropdown / dialog / popover
  await new Promise(r => setTimeout(r, 0)); // one tick — lets the focus trap unmount
  await transcodes.openAuthLoginModal({});
};
```
2. **Use `composedPath()` for event targets.** `e.target` is retargeted to the custom element host at the shadow boundary. Use `e.nativeEvent.composedPath()[0]` (React) or `e.composedPath()[0]` (vanilla) to get the real inner element.
3. **Await `el.updateComplete` before reading Lit shadow DOM.** React and Lit have independent render cycles. Setting a property on a Lit element and immediately reading its shadow DOM returns stale data.
4. **Isolate inherited CSS.** Shadow DOM does not block inherited properties (`font-family`, `color`, etc.). If global resets or `!important` rules break modal appearance, apply `:host { all: initial; }` in the Lit component's styles, then selectively restore needed properties.

### [Implementation]

> **Calling syntax convention** — every [Implementation] block in this guide is shown twice:
> 1. **CDN static (DEFAULT)** — access the SDK through the bare `transcodes` global (equivalent to `window.transcodes`; `transcodes.d.ts` types both). No imports.
> 2. **npm fallback (`@bigstrider/transcodes-sdk`)** — named imports. Use only when the user has explicitly chosen the npm path.
>
> Generate the **CDN form by default**. Only emit the npm form when the user has confirmed Option B.

#### Login flow

**CDN static (DEFAULT):**
```typescript
async function handleLogin() {
  let isLoading = true;
  try {
    const result = await transcodes.openAuthLoginModal({});

    if (!result.success) {
      // User cancelled or auth failed — do NOT access payload
      return;
    }

    const { token, member } = result.payload[0];
    // token = JWT string, member = { id, email, role, ... }
    // Update your app state with member data here
  } catch (err) {
    console.error('Login error:', err);
  } finally {
    isLoading = false;
  }
}
```

**npm fallback (`@bigstrider/transcodes-sdk`):**
```typescript
import { openAuthLoginModal } from '@bigstrider/transcodes-sdk';

async function handleLogin() {
  let isLoading = true;
  try {
    const result = await openAuthLoginModal({});

    if (!result.success) return;

    const { token, member } = result.payload[0];
  } catch (err) {
    console.error('Login error:', err);
  } finally {
    isLoading = false;
  }
}
```

#### Login guard (auth-required route)

**CDN static (DEFAULT):**
```typescript
async function ensureAuthenticated() {
  try {
    const isAuth = await transcodes.token.isAuthenticated();
    if (isAuth) return true;

    const result = await transcodes.openAuthLoginModal({});
    if (!result.success) return false; // user cancelled
    return true;
  } catch (err) {
    console.error('Auth check failed:', err);
    return false;
  }
}
```

**npm fallback:**
```typescript
import { isAuthenticated, openAuthLoginModal } from '@bigstrider/transcodes-sdk';

async function ensureAuthenticated() {
  try {
    if (await isAuthenticated()) return true;
    const result = await openAuthLoginModal({});
    return Boolean(result.success);
  } catch (err) {
    console.error('Auth check failed:', err);
    return false;
  }
}
```

#### Re-auth on session expiry

**CDN static (DEFAULT):**
```typescript
transcodes.on('TOKEN_EXPIRED', async () => {
  try {
    const result = await transcodes.openAuthLoginModal({});
    if (result.success) window.location.reload();
  } catch (err) {
    console.error('Re-auth failed:', err);
    window.location.href = '/login?reason=session_expired';
  }
});
```

**npm fallback:**
```typescript
import { on, openAuthLoginModal } from '@bigstrider/transcodes-sdk';

on('TOKEN_EXPIRED', async () => {
  try {
    const result = await openAuthLoginModal({});
    if (result.success) window.location.reload();
  } catch (err) {
    console.error('Re-auth failed:', err);
    window.location.href = '/login?reason=session_expired';
  }
});
```

### Server-side JWT Verification

When you create an Authentication Cluster in the Transcodes Console, you can download or copy a `public_key.json` file.
Place this key on your server to verify JWTs. The algorithm is `ES256` (ECDSA P-256).

`public_key.json` format:
```json
{
  "kty": "EC",
  "x": "V5UGkr1FKv3TGd1OO3lC9YDHfizkkpO0bOjQQLBr-wc",
  "y": "fqhfcdO6mgmZwoEuaIeVKCAr-sdEa4Ghyn1-ESvEl1g",
  "crv": "P-256",
  "alg": "ES256",
  "kid": "64aaaf01-65d0-4c22-9dcd-3c1f9b3acb7f"
}
```

**Option A — File-based:**
Save `public_key.json` to your server project and read it at startup.

```typescript
import * as jose from 'jose';
import fs from 'fs';

const jwk = JSON.parse(fs.readFileSync('./public_key.json', 'utf-8'));
const publicKey = await jose.importJWK(jwk, 'ES256');

async function verifyToken(token: string) {
  const { payload } = await jose.jwtVerify(token, publicKey);
  return payload;
}
```

**Option B — Env variable or inline:**
Embed the `public_key.json` contents in an environment variable or directly in code.

```typescript
import * as jose from 'jose';

const jwk = {
  kty: 'EC',
  x: 'V5UGkr1FKv3TGd1OO3lC9YDHfizkkpO0bOjQQLBr-wc',
  y: 'fqhfcdO6mgmZwoEuaIeVKCAr-sdEa4Ghyn1-ESvEl1g',
  crv: 'P-256',
  alg: 'ES256',
  kid: '64aaaf01-65d0-4c22-9dcd-3c1f9b3acb7f',
};
const publicKey = await jose.importJWK(jwk, 'ES256');

async function verifyToken(token: string) {
  const { payload } = await jose.jwtVerify(token, publicKey);
  return payload;
}
```

**Express middleware example:**
```typescript
async function authMiddleware(req, res, next) {
  const token = req.headers.authorization?.replace('Bearer ', '');
  if (!token) return res.status(401).json({ error: 'No token' });
  try {
    req.user = await verifyToken(token);
    next();
  } catch {
    return res.status(401).json({ error: 'Invalid token' });
  }
}

app.use('/api/', authMiddleware);
```

The public key is available for download or copy when creating an Authentication Cluster in the Console.
The JWK values above are samples — replace them with your project's actual key.

---

## 2. Core API: openAuthConsoleModal (Member Account Management)

### Usage
- Opening user settings / profile
- Managing passkeys and backup auth methods
- Letting members self-manage identity data

### [Parameters]
| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| projectId | string | N | Optional if inferred. |

### [Agent Instructions: Implementation Logic]
- **Auth Requirement**: Ensure the user is authenticated (`isAuthenticated() === true`) before calling this modal. If not, prompt them to log in first.
- **NEVER call `openAuthConsoleModal()` without an auth guard.** It will fail silently or show an error if the user has no session.

### [Framework Integration: Must-Know]
Same rules as `openAuthLoginModal` — close parent overlays before opening, use `composedPath()` for events, await `updateComplete` for Lit DOM reads, isolate inherited CSS. See `openAuthLoginModal` → [Framework Integration: Must-Know] for full details and code examples.

### [Implementation]

> Same dual-form convention as Section 1 — **CDN static is the default**. Use the npm form only when the user has explicitly chosen the npm path.

**CDN static (DEFAULT):**
```typescript
async function openSettings() {
  let isLoading = true;
  try {
    // auth guard
    const isAuth = await transcodes.token.isAuthenticated();
    if (!isAuth) {
      const login = await transcodes.openAuthLoginModal({});
      if (!login.success) return; // user cancelled login
    }

    await transcodes.openAuthConsoleModal();
    // Modal closed — user may have updated passkeys, name, etc.

    // RECOMMENDED: refresh member data after console closes
    const current = await transcodes.token.getCurrentMember();
    if (current.success && current.member?.email) {
      const fresh = await transcodes.member.get({ email: current.member.email });
      if (fresh.success) {
        // Update your app state with fresh.payload[0]
      }
    }
  } catch (err) {
    console.error('Console modal error:', err);
  } finally {
    isLoading = false;
  }
}
```

**npm fallback (`@bigstrider/transcodes-sdk`):**
```typescript
import {
  isAuthenticated,
  openAuthLoginModal,
  openAuthConsoleModal,
  getCurrentMember,
  getMember,
} from '@bigstrider/transcodes-sdk';

async function openSettings() {
  let isLoading = true;
  try {
    if (!(await isAuthenticated())) {
      const login = await openAuthLoginModal({});
      if (!login.success) return;
    }

    await openAuthConsoleModal();

    const current = await getCurrentMember();
    if (current.success && current.member?.email) {
      const fresh = await getMember({ email: current.member.email });
      if (fresh.success) {
        // Update your app state with fresh.payload[0]
      }
    }
  } catch (err) {
    console.error('Console modal error:', err);
  } finally {
    isLoading = false;
  }
}
```

## 3. Core API: openAuthIdpModal (Step-up MFA)

### Usage
- Protecting sensitive operations
- Requiring MFA before action
- Enforcing RBAC + step-up on privileged flows

### [Parameters]
| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| resource | string | Y | Existing Console resource key only |
| action | 'create'\|'read'\|'update'\|'delete' | Y | 'create'\|'read'\|'update'\|'delete' |
| forceStepUp | boolean | N | Force MFA regardless of RBAC. Default: false |
| webhookNotification | boolean | N | Send Slack webhook on result. Default: false |
| projectId | string | N | Optional if inferred. |

### [What are `role` and `resource`?]

#### RBAC meaning
- `resource` = Console RBAC resource key such as `'system'`, `'billing'`, `'reports'`
- `action` = `create | read | update | delete`
- `role` = current member role from JWT / `getCurrentMember()` when `result.success` and `result.member` is set
- `openAuthIdpModal` reads the current member role automatically; you only pass `resource` + `action`
- Permission levels:
  - `0` = deny
  - `1` = allow
  - `2` = allow + step-up required

#### RBAC example
```
Console RBAC setup:
  Role: admin
  Resource: system
    create → permission: 2  (allow + step-up required)
    read   → permission: 1  (allow, no step-up)
    update → permission: 1
    delete → permission: 2  (allow + step-up required)
```

Result:
- `admin × system × create = 2` → step-up required
- `admin × system × read = 1` → allowed without step-up
- On success, client sends `sid` to its backend, and the backend verifies it before executing the action

**IMPORTANT:** `resource` must match a resource key created in the Console. Passing an unknown resource key will return a deny result. If `forceStepUp: true` is passed, step-up is always triggered regardless of RBAC permission level.

### [Agent Instructions: Implementation Logic]
- **Mandatory Question**: Before generating code, STOP and ask: *"What is the `resource` key (defined in your Console RBAC) and what `action` are you protecting?"*
- **Success Check**: You must check outer `result.success` before accessing `result.payload[0]`, and you must check `result.payload[0]?.success` before using `sid`.
- **Backend Verification**: The returned `sid` (session ID) must be sent to the user's own backend, which then calls the Transcodes API (`https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sid}`) with header `x-transcodes-token: <JWT from Console>` (no separate API key; do not use `x-api-key`). Client-side `sid` alone is NOT sufficient — server-side verification is mandatory.
- **Runtime Gate**: For step-up MFA, use a two-step gate: outer `ApiResponse.success` first, then `result.payload[0]?.success`.
- **Audit Trail**: After a successful step-up operation, you SHOULD log the action with `trackUserAction` for compliance.
- **MCP First**: If Transcodes MCP / Console access is available, resolve resources there first (`get_resources`) before asking the user.
- **Blocking Rule**: If `resource` or `action` is still unknown, output only the clarifying question and stop. Do not generate placeholder code, pseudo-code, or guessed defaults.

### [Framework Integration: Must-Know]
Same rules as `openAuthLoginModal` — close parent overlays before opening, use `composedPath()` for events, await `updateComplete` for Lit DOM reads, isolate inherited CSS. See `openAuthLoginModal` → [Framework Integration: Must-Know] for full details and code examples.

### [Implementation]

This is the canonical pattern for step-up MFA. Every step is mandatory.

> Same dual-form convention as Section 1 — **CDN static is the default**. Use the npm form only when the user has explicitly chosen the npm path. Resolve `resource` / `action` from MCP / Console first; if unavailable, ask the user and stop.

**Client-side (browser) — CDN static (DEFAULT):**
```typescript
async function protectedAction(userId: string) {
  let isLoading = true;
  try {
    const resource = resolvedResource; // resolved via get_resources or explicit user input
    const action = resolvedAction;     // resolved from the protected operation

    // STEP 1: Request step-up verification
    const mfa = await transcodes.openAuthIdpModal({
      resource,
      action,
    });

    // SUCCESS CHECKS before using sid (outer + inner)
    if (!mfa.success || !mfa.payload[0]?.success) {
      // User cancelled, failed verification, or was denied by RBAC
      return;
    }

    // STEP 2: Send sid + JWT to YOUR backend for verification
    const sessionId = mfa.payload[0].sid;
    const token = await transcodes.token.getAccessToken();
    await fetch(`/api/users/${userId}`, {
      method: 'DELETE',
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ sessionId }),
    });

    // STEP 3: Audit log on success
    await transcodes.trackUserAction({
      tag: 'user:delete',
      severity: 'high',
      status: true,
      metadata: { userId },
    });
  } catch (err) {
    // STEP 4: Error handling + audit log on failure
    console.error('Step-up action failed:', err);
    await transcodes.trackUserAction({
      tag: 'user:delete',
      severity: 'high',
      status: false,
      error: (err as Error).message,
      metadata: { userId },
    });
  } finally {
    isLoading = false;
  }
}
```

**Client-side (browser) — npm fallback (`@bigstrider/transcodes-sdk`):**
```typescript
import {
  openAuthIdpModal,
  getAccessToken,
  trackUserAction,
} from '@bigstrider/transcodes-sdk';

async function protectedAction(userId: string) {
  let isLoading = true;
  try {
    const resource = resolvedResource;
    const action = resolvedAction;

    const mfa = await openAuthIdpModal({ resource, action });

    if (!mfa.success || !mfa.payload[0]?.success) return;

    const sessionId = mfa.payload[0].sid;
    const token = await getAccessToken();
    await fetch(`/api/users/${userId}`, {
      method: 'DELETE',
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ sessionId }),
    });

    await trackUserAction({
      tag: 'user:delete',
      severity: 'high',
      status: true,
      metadata: { userId },
    });
  } catch (err) {
    console.error('Step-up action failed:', err);
    await trackUserAction({
      tag: 'user:delete',
      severity: 'high',
      status: false,
      error: (err as Error).message,
      metadata: { userId },
    });
  } finally {
    isLoading = false;
  }
}
```

**Server-side (your backend) — verify session ID against Transcodes API:**

The auth API token below (`AUTH_API_TOKEN`) is a JWT issued from the Transcodes Console for **server-to-Transcodes** calls — a different value from `TRANSCODES_TOKEN` used for the MCP server. Store it as a secret on the backend (e.g. `TRANSCODES_AUTH_API_TOKEN`).

```typescript
// Backend verification example (Next.js Route Handler shape)
import { NextResponse } from 'next/server';

const AUTH_API_TOKEN = process.env.TRANSCODES_AUTH_API_TOKEN!; // server-only secret JWT

export async function POST(req: Request) {
  const { stepUpSid } = await req.json();

  if (stepUpSid) {
    const response = await fetch(
      `https://api.transcodesapis.com/v1/auth/temp-session/step-up/${stepUpSid}`,
      {
        headers: {
          'x-transcodes-token': JWT_TOKEN_FROM_TRANSCODES_CONSOLE,
        },
      },
    );

    if (!response.ok) {
      return NextResponse.json({
        logId: crypto.randomUUID(),
        success: false,
        statusCode: response.status,
        payload: null,
        error: 'Failed to get temp session',
      });
    }

    const data = await response.json();
    // data.payload[0] => { project_id, member_id, action, role }
    // Use data to authorize the sensitive action.
  }

  // ...proceed with the sensitive action only after a successful verification
  return NextResponse.json({ ok: true });
}
```

Example verified response (logged):
```json
{
  "logId": "01KPP893GSV54TKVST53MV7BB1",
  "success": true,
  "statusCode": 200,
  "payload": [
    {
      "project_id": "ca3da7ff8dd4391d8d80ad01",
      "member_id": "ca3db8488dd4391d8d80ad04",
      "action": "read",
      "role": "admin"
    }
  ],
  "error": null
}
```

```
Step-up verification endpoint:
  URL:    https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sessionId}
  Method: GET
  Header: x-transcodes-token: <JWT_TOKEN_FROM_TRANSCODES_CONSOLE>
  Response: 200 = valid session (payload contains project_id, member_id, action, role)
            non-200 = invalid / expired / unauthorized
```

```typescript
// Canonical step-up call shape — CDN static (DEFAULT):
await transcodes.openAuthIdpModal({ resource: resolvedResource, action: resolvedAction });

// Canonical step-up call shape — npm fallback:
import { openAuthIdpModal } from '@bigstrider/transcodes-sdk';
await openAuthIdpModal({ resource: resolvedResource, action: resolvedAction });
```

Full `IdpAuthResponse` type reference:
```typescript
interface IdpAuthResponse {
  success: boolean;   // step-up result inside the payload item
  sid?: string;       // step-up session ID (present on success)
  error?: string;     // error message (present on failure)
  timestamp: number;  // Unix timestamp (ms)
  action?: 'create' | 'read' | 'update' | 'delete'; // the requested action
}
// Returned as ApiResponse<IdpAuthResponse[]>
// Runtime gate: check outer ApiResponse.success first, then check result.payload[0]?.success, then use sid
```

// Permission matrix (set per role × resource × action in Console):
//   0 = deny   1 = allow (no step-up)   2 = allow + step-up required
// openAuthIdpModal reads the current member's role and checks this matrix automatically.

---

## 5. Core API: Token API (Session Management)

### Usage
- Sending JWT to your backend
- Guarding protected routes
- Reading current member from JWT
- Signing out

### [Methods]
| Method | Returns | Note |
| :--- | :--- | :--- |
| `getCurrentMember()` | `Promise<GetCurrentMemberResult>` | `{ success, member, error? }` — on success `member` is set; on failure `member` is null and `error` is a `GetCurrentMemberFailureReason`. |
| `getAccessToken()` | `Promise<string \| null>` | Gets valid JWT, refreshing if needed. |
| `hasToken()` | `boolean` | Sync check if token exists in memory. |
| `isAuthenticated()` | `Promise<boolean>` | Async full validity check. |
| `signOut(options?)` | `Promise<void>` | Clears session. `options.webhookNotification?: boolean` |

### [Agent Instructions: Implementation Logic]
- **getCurrentMember**: Always read `const r = await getCurrentMember()` then branch on `r.success` before using `r.member`. Do not treat the return value as `Member | null`.
- **Header Injection**: When making fetch calls to a backend, always use `await getAccessToken()` to ensure the token is fresh.
- **isAuthenticated vs hasToken**: Use `hasToken()` for fast UI rendering decisions. Use `isAuthenticated()` for security-critical decisions (it verifies token validity, not just existence).
- **NEVER use `isAuthenticated()` without `await`** — it returns a Promise, which is always truthy. This is the #1 most common bug.

### [Implementation]

> Same dual-form convention as Section 1 — **CDN static is the default**. Token API lives on `transcodes.token.*`. Use the npm form only when the user has explicitly chosen the npm path.

**Authorized Fetch Wrapper — use this for ALL backend API calls.**

CDN static (DEFAULT):
```typescript
async function authorizedFetch(url: string, options: RequestInit = {}) {
  const token = await transcodes.token.getAccessToken();
  if (!token) throw new Error('Not authenticated');
  return fetch(url, {
    ...options,
    headers: { ...options.headers, Authorization: `Bearer ${token}` },
  });
}
```

npm fallback:
```typescript
import { getAccessToken } from '@bigstrider/transcodes-sdk';

async function authorizedFetch(url: string, options: RequestInit = {}) {
  const token = await getAccessToken();
  if (!token) throw new Error('Not authenticated');
  return fetch(url, {
    ...options,
    headers: { ...options.headers, Authorization: `Bearer ${token}` },
  });
}
```

**Route Guard — use `isAuthenticated()` (async) for security decisions.**

CDN static (DEFAULT):
```typescript
const isAuth = await transcodes.token.isAuthenticated();
if (!isAuth) {
  window.location.href = '/login';
  return;
}
```

npm fallback:
```typescript
import { isAuthenticated } from '@bigstrider/transcodes-sdk';

const isAuth = await isAuthenticated();
if (!isAuth) {
  window.location.href = '/login';
  return;
}
```

**UI Rendering — use `hasToken()` (sync) for non-security UI toggle.**

CDN static (DEFAULT):
```typescript
if (transcodes.token.hasToken()) {
  showDashboard();
} else {
  showLandingPage();
}
```

npm fallback:
```typescript
import { hasToken } from '@bigstrider/transcodes-sdk';

if (hasToken()) {
  showDashboard();
} else {
  showLandingPage();
}
```

**Sign Out.**

CDN static (DEFAULT):
```typescript
try {
  await transcodes.token.signOut();
  window.location.href = '/';
} catch (err) {
  console.error('Sign out failed:', err);
}
```

npm fallback:
```typescript
import { signOut } from '@bigstrider/transcodes-sdk';

try {
  await signOut();
  window.location.href = '/';
} catch (err) {
  console.error('Sign out failed:', err);
}
```

**Get Current User.**

CDN static (DEFAULT):
```typescript
const r = await transcodes.token.getCurrentMember();
if (r.success && r.member) {
  const { member } = r;
  console.log(`${member.name} (${member.email}) — role: ${member.role}`);
} else if (!r.success) {
  // r.member is null; r.error is GetCurrentMemberFailureReason when applicable
}
```

npm fallback:
```typescript
import { getCurrentMember } from '@bigstrider/transcodes-sdk';

const r = await getCurrentMember();
if (r.success && r.member) {
  const { member } = r;
  console.log(`${member.name} (${member.email}) — role: ${member.role}`);
}
```

---

## 6. Core API: Member API (User Data)

### Usage
- Refreshing profile after console changes
- Re-checking the latest role from the API
- Looking up a member by email or ID

### [Parameters]
| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| projectId | string | N | Optional if inferred. |
| memberId | string | N | Specific member ID to fetch. |
| email | string | N | Specific email to fetch. |
| fields | string | N | Comma-separated field names to return. |

### [Implementation]

> Same dual-form convention as Section 1 — **CDN static is the default**. Member API lives on `transcodes.member.*` (note: the CDN namespace is `member.get`, the npm export is `getMember`).

**Member lookup by email.**

CDN static (DEFAULT):
```typescript
async function lookupMember(email: string) {
  try {
    const res = await transcodes.member.get({ email });

    // check success AND payload length
    if (!res.success || !res.payload?.length) {
      console.log('Member not found or request failed');
      return null;
    }

    return res.payload[0]; // { id, email, role, name, ... }
  } catch (err) {
    console.error('Member lookup failed:', err);
    return null;
  }
}
```

npm fallback:
```typescript
import { getMember } from '@bigstrider/transcodes-sdk';

async function lookupMember(email: string) {
  try {
    const res = await getMember({ email });

    if (!res.success || !res.payload?.length) {
      console.log('Member not found or request failed');
      return null;
    }

    return res.payload[0];
  } catch (err) {
    console.error('Member lookup failed:', err);
    return null;
  }
}
```

**Get fresh role after a change** — use `member.get` / `getMember` (API fetch) instead of `token.getCurrentMember()` / `getCurrentMember()` (JWT-based, may be stale).

CDN static (DEFAULT):
```typescript
const res = await transcodes.member.get({ email: 'alice@example.com' });
if (res.success && res.payload.length > 0) {
  const role = res.payload[0].role;
}
```

npm fallback:
```typescript
import { getMember } from '@bigstrider/transcodes-sdk';

const res = await getMember({ email: 'alice@example.com' });
if (res.success && res.payload.length > 0) {
  const role = res.payload[0].role;
}
```

---

## 7. Core API: Events API (Real-time State)

### Usage
- Syncing auth state into app state
- Handling token expiry
- Monitoring SDK errors

### [Events]
| Event | Payload | Note |
| :--- | :--- | :--- |
| `AUTH_STATE_CHANGED` | `{ isAuthenticated, accessToken, expiresAt, member }` | Fired on login, logout, restore. |
| `TOKEN_REFRESHED` | `{ accessToken, expiresAt }` | Fired when new JWT is issued. |
| `TOKEN_EXPIRED` | `{ expiredAt }` | Fired when session fully expires. |
| `ERROR` | `{ code, message, context? }` | Fired on background errors. |
| `MEMBER_REVOKED` | `{ message, reason: 'member_revoked' }` | Fired when the server reports the current member has been suspended/revoked by an admin. The SDK has already cleared the local session by the time this fires. UIs should redirect to the sign-in screen or show a "your account is suspended" notice. |

### [Implementation]

> Same dual-form convention as Section 1 — **CDN static is the default**. Events API lives on `transcodes.on(...)` / `transcodes.off(...)`.

**Always store and call the unsubscribe function on cleanup.** Failing to unsubscribe causes memory leaks and duplicate event handlers.

**Subscribe with proper cleanup (React example).**

CDN static (DEFAULT):
```typescript
useEffect(() => {
  const unsub = transcodes.on('AUTH_STATE_CHANGED', (payload) => {
    if (payload.isAuthenticated) {
      setUser(payload.member);
    } else {
      setUser(null);
    }
  });

  // unsubscribe on unmount
  return () => unsub();
}, []);
```

npm fallback:
```typescript
import { on } from '@bigstrider/transcodes-sdk';

useEffect(() => {
  const unsub = on('AUTH_STATE_CHANGED', (payload) => {
    if (payload.isAuthenticated) setUser(payload.member);
    else setUser(null);
  });
  return () => unsub();
}, []);
```

**Auto-re-auth on token expiry with error handling.**

CDN static (DEFAULT):
```typescript
const unsub = transcodes.on('TOKEN_EXPIRED', async () => {
  try {
    const result = await transcodes.openAuthLoginModal({});
    if (!result.success) {
      window.location.href = '/login?reason=session_expired';
    }
  } catch (err) {
    console.error('Re-auth failed:', err);
    window.location.href = '/login?reason=error';
  }
});
```

npm fallback:
```typescript
import { on, openAuthLoginModal } from '@bigstrider/transcodes-sdk';

const unsub = on('TOKEN_EXPIRED', async () => {
  try {
    const result = await openAuthLoginModal({});
    if (!result.success) {
      window.location.href = '/login?reason=session_expired';
    }
  } catch (err) {
    console.error('Re-auth failed:', err);
    window.location.href = '/login?reason=error';
  }
});
```

**Error monitoring — send to your observability service.**

CDN static (DEFAULT):
```typescript
const unsub = transcodes.on('ERROR', ({ code, message, context }) => {
  console.error(`Transcodes Error [${code}]: ${message}`, context);
  // e.g. Sentry.captureException(new Error(message));
});
```

npm fallback:
```typescript
import { on } from '@bigstrider/transcodes-sdk';

const unsub = on('ERROR', ({ code, message, context }) => {
  console.error(`Transcodes Error [${code}]: ${message}`, context);
});
```

**Member suspension / revocation — kick the user back to sign-in.**

Subscribe to `MEMBER_REVOKED` so an admin-side suspension immediately reflects in the UI. By the time this fires the SDK has **already cleared** the local session — your handler only needs to display the message and route the user out (no manual `signOut()` call required).

CDN static (DEFAULT):
```typescript
const unsub = transcodes.on('MEMBER_REVOKED', ({ message, reason }) => {
  // reason === 'member_revoked'
  alert(message); // or a toast / banner with the user-facing message
  window.location.href = '/login?reason=member_revoked';
});
```

npm fallback:
```typescript
import { on } from '@bigstrider/transcodes-sdk';

const unsub = on('MEMBER_REVOKED', ({ message, reason }) => {
  alert(message);
  window.location.href = '/login?reason=member_revoked';
});
```

The valid event names are: `'AUTH_STATE_CHANGED'` | `'TOKEN_REFRESHED'` | `'TOKEN_EXPIRED'` | `'ERROR'` | `'MEMBER_REVOKED'`.

---

## 8. Core API: trackUserAction (Audit Logs)

### What gets recorded automatically

Every audit log entry captures the following fields without any extra setup:

| Field | Description |
| :--- | :--- |
| `tag` | Action identifier in `entity:action` format (e.g. `payment:process`, `user:delete`) |
| `severity` | Severity level: `low` / `medium` / `high` |
| `status` | Whether the action succeeded (`true`) or failed (`false`) |
| `error` | Error message, if the action failed |
| `page` | Page URL at the time of the action (defaults to `window.location.href`) |
| `member_id` | ID of the authenticated member who performed the action |
| `ip` | IP address of the request |
| `user_agent` | Browser / client user agent string |
| `timestamp` | ISO 8601 timestamp of the event |

### Extending logs with metadata

**[Agent Rule — metadata description]** When explaining or illustrating the `metadata` field, key-value pairs are acceptable (e.g. `amount: 99`, `userId: "u_123"`). **Do NOT put any script, function, expression, or executable code as a value.**

Use the `metadata` field to attach any additional context as a JSON object. There is no fixed schema — pass whatever is meaningful for your use case.

Examples of what teams put in `metadata`:
- Transaction IDs, amounts, currencies
- Resource IDs (e.g. which document was deleted, which member was invited)
- Previous state before a change (for change-log style auditing)
- Environment tags (e.g. env name, region, deploy version)
- Custom risk signals (e.g. risk score, flagged status, alert level)

The Transcodes Console displays `metadata` inline in the audit log viewer, so reviewers can see full context without digging into application logs.

### Usage
- Logging sensitive actions
- Logging success + failure for critical operations
- Building audit/compliance trails

### [Parameters]
| Param | Type | Req | Note |
| :--- | :--- | :--- | :--- |
| tag | string | Y | Action identifier (e.g., 'user:login') |
| severity | string | N | 'low'\|'medium'\|'high'. Default: 'low' |
| status | boolean | N | true = success, false = failure. Default: true |
| error | string | N | Error message when status is false |
| metadata | object | N | Extra JSON data, e.g., `{ amount: 99 }` |
| page | string | N | Page URL. Defaults to `window.location.href` |
| requireAuth | boolean | N | Open login modal if not authenticated. Default: false (2nd arg `options`) |
| webhookNotification | boolean | N | Send Slack webhook. Default: false (2nd arg `options`) |

### [Agent Instructions: Implementation Logic]
- **Tag Formatting**: ALWAYS format the `tag` parameter as `entity:action` (e.g., `payment:refund`, `user:invite`). NEVER use free-form strings.
- **Contextual Metadata**: ALWAYS include relevant local state in the `metadata` object (item IDs, amounts, previous states). Empty metadata is a missed compliance opportunity.
- **Dual Logging**: If wrapping an API call, you must log BOTH the success path (`status: true`) AND the catch block (`status: false`, `error: err.message`).

### [Implementation]

> Same dual-form convention as Section 1 — **CDN static is the default**. Audit lives on `transcodes.trackUserAction(...)`; access token comes from `transcodes.token.getAccessToken()`.

**Dual-log pattern — ALWAYS log both success and failure.**

CDN static (DEFAULT):
```typescript
async function processPayment(amount: number, currency: string) {
  let isLoading = true;
  try {
    await fetch('/api/payments', {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${await transcodes.token.getAccessToken()}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ amount, currency }),
    });

    // log success
    await transcodes.trackUserAction({
      tag: 'payment:process',         // entity:action format
      severity: 'high',
      status: true,                   // success
      metadata: { amount, currency }, // MUST include context
    }, { webhookNotification: true });
  } catch (err) {
    // MANDATORY: log failure — never skip this
    await transcodes.trackUserAction({
      tag: 'payment:process',         // same tag as success
      severity: 'high',
      status: false,                  // failure
      error: (err as Error).message,
      metadata: { amount, currency },
    }, { webhookNotification: true });
  } finally {
    isLoading = false;
  }
}
```

npm fallback:
```typescript
import { getAccessToken, trackUserAction } from '@bigstrider/transcodes-sdk';

async function processPayment(amount: number, currency: string) {
  let isLoading = true;
  try {
    await fetch('/api/payments', {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${await getAccessToken()}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ amount, currency }),
    });

    await trackUserAction({
      tag: 'payment:process',
      severity: 'high',
      status: true,
      metadata: { amount, currency },
    }, { webhookNotification: true });
  } catch (err) {
    await trackUserAction({
      tag: 'payment:process',
      severity: 'high',
      status: false,
      error: (err as Error).message,
      metadata: { amount, currency },
    }, { webhookNotification: true });
  } finally {
    isLoading = false;
  }
}
```

Use `entity:action` tags such as `payment:process`, `user:delete`, `member:role-change`. Always log both success and failure paths for sensitive operations.

---

## Type Definitions

```typescript
// --- Core Types ---

interface Member {
  id?: string;
  projectId?: string;
  name?: string;
  email?: string;
  role?: string;
  metadata?: Record<string, string | number | boolean | null | undefined>;
  createdAt?: Date | string;
  updatedAt?: Date | string;
}

interface AuthResult {
  token: string;   // JWT access token
  member: Member;
}

interface ApiResponse<T> {
  success: boolean;
  payload: T;
  error?: string;
  message?: string;
  status?: number;
}

// --- Init ---

interface TranscodesInitOptions {
  projectId: string;       // Required — from Transcodes Console
  customUserId?: string;   // Optional — associate with your own user ID
  debug?: boolean;         // Optional — enable debug logging
}

interface TranscodesBuildInfo {
  buildTimestamp: string;   // ISO timestamp when SDK bundle was built
}

// --- IDP (Step-up MFA) ---

interface IdpOpenParams {
  resource: string;                              // Resource key from Console RBAC
  action: 'create' | 'read' | 'update' | 'delete';
  forceStepUp?: boolean;                         // Force step-up regardless of permission level
  webhookNotification?: boolean;                 // Send Slack webhook on result
}

interface IdpAuthResponse {
  success: boolean;   // step-up result inside the payload item
  sid?: string;       // Step-up session ID (present on success)
  error?: string;     // Error message (present on failure)
  timestamp: number;  // Unix timestamp (ms)
  action?: string;    // The requested action
}

// --- Modal Return Types ---
// openAuthLoginModal(params)  → Promise<ApiResponse<AuthResult[]>>
// openAuthConsoleModal(params?) → Promise<ApiResponse<null>>
// openAuthIdpModal(params)    → Promise<ApiResponse<IdpAuthResponse[]>>

// --- Token API ---

// Matches public/transcodes.d.ts (also exported from @bigstrider/transcodes-sdk types)
export enum GetCurrentMemberFailureReason {
  // If member is not authenticated, the error is 'unauthenticated'
  UNAUTHENTICATED = 'unauthenticated',
  // If member is not found, the error is 'not_found'
  NOT_FOUND = 'not_found',
  // If member is revoked, the error is 'revoked'
  REVOKED = 'revoked',
  // If member is transient network error, the error is 'transient'
  TRANSIENT = 'transient',
  // If member is other error, the error is 'error'
  ERROR = 'error',
}

export interface GetCurrentMemberResult {
  success: boolean;
  member: Member | null;
  error?: GetCurrentMemberFailureReason;
}

interface TokenAPI {
  getCurrentMember(): Promise<GetCurrentMemberResult>;
  getAccessToken(): Promise<string | null>;
  hasToken(): boolean;                                    // SYNC
  isAuthenticated(): Promise<boolean>;                    // ASYNC — always use await
  signOut(options?: { webhookNotification?: boolean }): Promise<void>;
}

// --- Member API ---

interface PublicMemberAPI {
  get(params: {
    projectId?: string;
    memberId?: string;
    email?: string;
    fields?: string;         // comma-separated field names
  }): Promise<ApiResponse<Member[]>>;
}

// --- Audit Log ---

// trackUserAction(event, options?) → Promise<void>
// event:
//   tag: string              — required, entity:action format (e.g. 'payment:process')
//   severity?: 'low' | 'medium' | 'high'   — default: 'low'
//   status?: boolean         — default: true (true = success, false = failure)
//   error?: string           — error message when status is false
//   metadata?: Record<string, unknown>      — extra context
//   page?: string            — page URL (defaults to window.location.href)
// options:
//   requireAuth?: boolean    — open login modal if not authenticated (default: false)
//   webhookNotification?: boolean — send Slack webhook (default: false)

// --- Events ---

type TranscodesEventName =
  | 'AUTH_STATE_CHANGED'
  | 'TOKEN_REFRESHED'
  | 'TOKEN_EXPIRED'
  | 'ERROR'
  | 'MEMBER_REVOKED';

interface AuthStateChangedPayload {
  isAuthenticated: boolean;
  accessToken: string | null;
  expiresAt: number | null;
  member: Member | null;
}

interface TokenRefreshedPayload {
  accessToken: string;
  expiresAt: number;
}

interface TokenExpiredPayload {
  expiredAt: number;
}

interface MemberRevokedPayload {
  /** User-facing message to display */
  message: string;
  /** Machine-readable reason for programmatic handling */
  reason: 'member_revoked';
}

interface ErrorPayload {
  code: string;
  message: string;
  context?: string;
}

// on<T>(event: TranscodesEventName, callback: (payload) => void): () => void  — returns unsubscribe fn
// off<T>(event: TranscodesEventName, callback): void
```

---

## Framework setup (quick reference)

**CDN static is the default for every framework.** Use a native `<script src="…" defer></script>` in `<head>`. Don't use `type="module"`. Don't use `crossorigin`. Don't use `next/script`. Don't install `@bigstrider/transcodes-sdk` unless the user explicitly requests the npm fallback.

### React + Vite — CDN static (DEFAULT)

> **Access pattern:** Vite is CSR-only — bare `transcodes.*` and explicit `window.transcodes.*` are equivalent. Use the bare form everywhere for brevity. See **Framework-specific access pattern** below.

Put the script in **`index.html` `<head>`** (native `<script defer>`, not a React component):

```html
<head>
  <script src="https://cdn.transcodes.link/%VITE_TRANSCODES_PROJECT_ID%/webworker.js" defer></script>
</head>
```

```bash
# .env
VITE_TRANSCODES_PROJECT_ID=proj_abc123xyz
```

**Then complete the TypeScript wiring (mandatory — skipping this is a compile error):**

```bash
# 1. Create types/transcodes.d.ts if it does not already exist
mkdir -p types
curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
```

```jsonc
// 2. tsconfig.json — add types/ to BOTH typeRoots and include
{
  "compilerOptions": {
    "typeRoots": ["./node_modules/@types", "./types"]
  },
  "include": ["src", "types"]
}
```

```bash
# 3. Verify
npx tsc --noEmit
```

### Next.js App Router — CDN static (DEFAULT)

> **Access pattern (CRITICAL):** Next.js renders `'use client'` components **on the server first** during SSR/RSC. Calling `transcodes.*` (or `window.transcodes.*`) at module top level or directly in a render body throws `ReferenceError` at SSR — **and `tsc` will not warn you**. Defer every SDK call into `useEffect`, an event handler, or behind a `typeof window !== 'undefined' && window.transcodes` guard. See **Framework-specific access pattern** below.

Use a **native `<script defer>` in `<head>`** — do not use `next/script` for `webworker.js`.

```tsx
// app/layout.tsx
export default function RootLayout({ children }: { children: React.ReactNode }) {
  const projectId = process.env.NEXT_PUBLIC_TRANSCODES_PROJECT_ID!;
  const cdnBase = process.env.NEXT_PUBLIC_TRANSCODES_CDN_BASE ?? 'https://cdn.transcodes.link';
  return (
    <html lang="en" suppressHydrationWarning>
      <head>
        <script src={`${cdnBase}/${projectId}/webworker.js`} defer />
      </head>
      <body>{children}</body>
    </html>
  );
}
```

```bash
# .env.local
NEXT_PUBLIC_TRANSCODES_PROJECT_ID=proj_abc123xyz
# NEXT_PUBLIC_TRANSCODES_CDN_BASE — default is https://cdn.transcodes.link
```

**Then complete the TypeScript wiring (mandatory — skipping this is a compile error). `next-env.d.ts` does NOT pick up `transcodes.d.ts` automatically:**

```bash
# 1. Create types/transcodes.d.ts if it does not already exist
mkdir -p types
curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
```

```jsonc
// 2. tsconfig.json (project root) — add types/ to BOTH typeRoots and include
{
  "compilerOptions": {
    "typeRoots": ["./node_modules/@types", "./types"]
  },
  "include": ["next-env.d.ts", ".next/types/**/*.ts", "src", "types"]
}
```

```bash
# 3. Verify
npx tsc --noEmit
```

### Vue 3 + Vite — CDN static (DEFAULT)

> **Access pattern:** Vite is CSR-only — bare `transcodes.*` and explicit `window.transcodes.*` are equivalent. Use the bare form everywhere. If you migrate to Nuxt or any SSR-enabled Vue setup, switch to the SSR pattern below.

```html
<!-- index.html -->
<head>
  <script src="https://cdn.transcodes.link/%VITE_TRANSCODES_PROJECT_ID%/webworker.js" defer></script>
</head>
```

**Then complete the TypeScript wiring (mandatory — skipping this is a compile error):**

```bash
# 1. Create types/transcodes.d.ts if it does not already exist
mkdir -p types
curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
```

```jsonc
// 2. tsconfig.json — add types/ to BOTH typeRoots and include
{
  "compilerOptions": {
    "typeRoots": ["./node_modules/@types", "./types"]
  },
  "include": ["src", "types"]
}
```

```bash
# 3. Verify
npx tsc --noEmit
```

---

### Framework-specific access pattern — when to use `transcodes` vs `window.transcodes`

Both `transcodes.*` (bare) and `window.transcodes.*` (explicit) resolve to the **same object at runtime** in the browser, and both are typed by `transcodes.d.ts` (`var transcodes: Window['transcodes']`). **The choice depends entirely on where the code runs.**

> ⚠️ **TypeScript will NOT catch SSR-time absence.** The `.d.ts` declares the global as always-present. The type checker happily green-lights both forms even when they would throw `ReferenceError` at runtime on the server. This makes the framework decision below a **runtime concern that the type system cannot enforce** — you must reason about it explicitly.

| Framework / runtime                      | Module top-level / RSC / first SSR render             | `useEffect` / event handler / `onClick`             | Recommended access form                                                |
| ---------------------------------------- | ----------------------------------------------------- | --------------------------------------------------- | ---------------------------------------------------------------------- |
| **Vite** (React, Vue, Svelte) — CSR only | ✅ both work — no SSR pass                            | ✅ both work                                        | Use bare `transcodes.*` everywhere. Equivalent and shorter.            |
| **Create React App** / Parcel — CSR only | ✅ both work                                          | ✅ both work                                        | Use bare `transcodes.*` everywhere.                                    |
| **Next.js App Router** (RSC + SSR)       | ❌ both throw `ReferenceError` (renders in Node first) | ✅ both work (browser only)                         | Inside `'use client'` + `useEffect` / handler: bare `transcodes.*`. Outside that scope: guard with `typeof window !== 'undefined' && window.transcodes`. |
| **Next.js Pages Router** (`getServerSideProps`, `getStaticProps`) | ❌ both throw on the server | ✅ both work in `useEffect` / handlers | Same as App Router. Never call SDK in `getServerSideProps` / `getStaticProps`. |
| **Remix / React Router (Framework Mode)** | ❌ both throw in loaders / actions / SSR             | ✅ both work in component effects                  | Same as Next.js — gate behind effects or feature-detection.            |
| **Astro / Qwik** (islands + SSR)         | ❌ both throw at SSR                                  | ✅ both work inside client islands                  | Use bare `transcodes.*` inside client-only directives (`client:load`, `client:idle`, etc.). |

**Decision rule for code samples:**

1. **Pure CSR project (Vite / CRA / Vue SPA / static HTML)** → use bare `transcodes.*` everywhere. Concise and equivalent.
2. **Any framework with SSR / RSC / static-generation phase (Next.js / Remix / Astro / SvelteKit)** → bare `transcodes.*` is fine **only inside browser-only code paths** (`useEffect`, `useLayoutEffect`, event handlers, components after `'use client'` + post-mount). Anywhere else, use the explicit `window.transcodes` form **with an SSR guard** so `tsc` and bundler don't mask the runtime hazard.

**Idiomatic SSR-safe access patterns:**

```tsx
// Next.js App Router — 'use client' + useEffect (preferred)
'use client';
import { useEffect } from 'react';

export function LoginButton() {
  // ❌ WRONG — runs at first SSR pass, transcodes is undefined on the server
  // const isAuth = await transcodes.token.isAuthenticated();

  useEffect(() => {
    // ✅ OK — useEffect only runs in the browser
    transcodes.token.isAuthenticated().then((isAuth) => {
      // ...
    });
  }, []);

  return <button onClick={() => transcodes.openAuthLoginModal({})}>Sign in</button>;
}
```

```ts
// Anywhere outside an effect / handler in an SSR framework — feature-detect first.
// The window.transcodes form pairs naturally with `typeof window !== 'undefined'`.
function isTranscodesReady(): boolean {
  return typeof window !== 'undefined' && Boolean(window.transcodes);
}

if (isTranscodesReady()) {
  // Inside the guarded block, bare `transcodes.*` is safe to call.
  await transcodes.token.isAuthenticated();
}
```

```ts
// AVOID — the bare form silently breaks SSR because TS doesn't see the gap.
// In Next.js / Remix / Astro this throws at SSR build / render time.
const isAuth = await transcodes.token.isAuthenticated(); // ❌ at module top level
```

**Why prefer `window.transcodes` for the guard but `transcodes.*` for the call?**

- `typeof window !== 'undefined' && window.transcodes` is the canonical SSR feature-detection idiom — every Next.js / Remix codebase has it. Reviewers immediately recognise the intent.
- After the guard establishes browser context, switching to bare `transcodes.*` for the actual calls keeps the call sites short and matches the rest of the documentation.
- TypeScript narrows neither form (the `.d.ts` always promises `transcodes` exists), so the guard is purely a **runtime safety contract**, not a type-narrowing trick.

---

### npm fallback variants (only when user explicitly opts out of CDN static)

Generate these only after the user confirms they cannot use CDN static.

#### Next.js App Router — `@bigstrider/transcodes-sdk` (FALLBACK)

```tsx
// app/providers.tsx — 'use client'
'use client';
import { init } from '@bigstrider/transcodes-sdk';
import { useEffect } from 'react';

export function TranscodesProvider({ children }) {
  useEffect(() => {
    init({ projectId: process.env.NEXT_PUBLIC_TRANSCODES_PROJECT_ID! });
  }, []);
  return <>{children}</>;
}
```

#### Vue 3 + Vite — `@bigstrider/transcodes-sdk` (FALLBACK)

```typescript
// main.ts
import { init } from '@bigstrider/transcodes-sdk';
await init({ projectId: import.meta.env.VITE_TRANSCODES_PROJECT_ID });
```

---

## Quick start example (CDN static — DEFAULT)

**This is the default. Generate this — not an npm/`init()` variant — unless the user explicitly asks otherwise.**

```html
<!DOCTYPE html>
<html>
<head>
  <link rel="manifest" href="https://cdn.transcodes.link/RESOLVED_PROJECT_ID/manifest.json" />
  <script src="https://cdn.transcodes.link/RESOLVED_PROJECT_ID/webworker.js" defer></script>
</head>
<body>
  <button id="login">Sign in</button>
  <button id="logout" style="display:none">Sign out</button>
  <p id="status">Not signed in</p>

  <script defer>
    // React to auth state changes
    transcodes.on('AUTH_STATE_CHANGED', ({ isAuthenticated, member }) => {
      document.getElementById('status').textContent =
        isAuthenticated ? `Hello, ${member?.email}` : 'Not signed in';
      document.getElementById('login').style.display = isAuthenticated ? 'none' : '';
      document.getElementById('logout').style.display = isAuthenticated ? '' : 'none';
    });

    // Login
    document.getElementById('login').onclick = async () => {
      const result = await transcodes.openAuthLoginModal({});
      if (result.success) {
        const { token, member } = result.payload[0];
        // Send token to your API: Authorization: Bearer <token>
      }
    };

    // Sign out
    document.getElementById('logout').onclick = () => transcodes.token.signOut();
  </script>
</body>
</html>
```

---

## CDN TypeScript setup — MANDATORY

The CDN static path is the default integration method, and **`transcodes.d.ts` is a required part of it for any TypeScript project.** Without it, `window.transcodes` is `any` and the SDK call sites do not type-check — worse, with `strict` mode enabled the project will fail to compile (`Property 'transcodes' does not exist on type 'Window'`).

**Do not assume the file is already in the repo. Verify, then create it if missing.**

### Step 1 — Check `transcodes.d.ts` exists; if not, create it

Search the repo for an existing `transcodes.d.ts` (typical locations: `types/transcodes.d.ts`, `src/types/transcodes.d.ts`, or any path on `tsconfig.json` `include`).

- **If the file is MISSING → create it now.** This is mandatory, not optional. The canonical source is `https://www.transcodes.io/instructions/types` (you can also download/copy the same file from the Transcodes Console):

  ```bash
  mkdir -p types
  curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types
  ```

- **If the file EXISTS → confirm it is current** by re-running the `curl` (it overwrites the local copy with the latest CDN version). Stale `.d.ts` files cause subtle "method not found" errors when the SDK adds new APIs.

### Step 2 — Edit `tsconfig.json` (TypeScript projects only — REQUIRED)

**Skipping this step causes compile errors.** The TypeScript compiler will not pick up `transcodes.d.ts` unless its directory is on `include` and/or `typeRoots`. Update `tsconfig.json` like this:

```jsonc
{
  "compilerOptions": {
    // include the project-local types directory in addition to node_modules/@types
    "typeRoots": ["./node_modules/@types", "./types"]
  },
  // ensure the types/ directory is part of the compilation (not just typeRoots)
  "include": ["src", "types"]
}
```

If you used a different folder name in Step 1 (e.g. `src/types/`), match it in both `typeRoots` and `include`.

For Next.js projects, add the same paths to the **root** `tsconfig.json`. Do **not** rely on auto-generated `next-env.d.ts` to pick up `transcodes.d.ts` — it will not.

### Step 3 — Verify the compiler is happy

Run a no-emit type check to confirm the wiring:

```bash
npx tsc --noEmit
```

If `window.transcodes` is still untyped, `tsconfig.json` was edited incorrectly — re-check that the directory containing `transcodes.d.ts` appears in **both** `include` AND `typeRoots`, and that the file path is exactly `<dir>/transcodes.d.ts`.

After Steps 1–3, `window.transcodes`, `transcodes.openAuthLoginModal`, `transcodes.token.getCurrentMember()`, etc. are fully typed.

### Notes for the CDN static path

- **Do NOT call `init()`.** `webworker.js` bootstraps `window.transcodes` automatically. The `.d.ts` may still declare `init` (it is shared with the npm package) — ignore that export on the CDN static path.
- Re-run `curl` periodically (or as part of CI) so the local `transcodes.d.ts` stays in sync with the CDN.

### npm fallback only

When the user has explicitly chosen `@bigstrider/transcodes-sdk`, TypeScript types ship with the package and **no** extra `transcodes.d.ts` file is needed (and no `tsconfig.json` edit either). This exemption applies only to the npm fallback — not to the default CDN static path.

---

## React AuthContext pattern (recommended)

The standard pattern for React apps. The structure is identical for both integrations — only the imports change. **Default to the CDN static version**: read everything off the bare `transcodes` global (typed via `transcodes.d.ts`). The npm import shape below is shown for the fallback case only.

**CDN static (DEFAULT) — replace the import block with:**

```tsx
// src/context/AuthContext.tsx — CDN static
// transcodes.d.ts must be installed (see "CDN TypeScript setup")
const sdkIsAuthenticated = () => transcodes.token.isAuthenticated();
const sdkLogin = (params: { webhookNotification?: boolean }) =>
  transcodes.openAuthLoginModal(params);
const sdkConsole = () => transcodes.openAuthConsoleModal();
const sdkIdp = (params: { resource: string; action: 'create' | 'read' | 'update' | 'delete' }) =>
  transcodes.openAuthIdpModal(params);
const sdkSignOut = () => transcodes.token.signOut();
const on = transcodes.on.bind(transcodes);
// ...rest of AuthProvider below is identical
```

**npm fallback — only when the user has confirmed Option B:**

```tsx
// src/context/AuthContext.tsx
import { createContext, useEffect, useState, type ReactNode } from 'react';
import {
  isAuthenticated as sdkIsAuthenticated,
  openAuthLoginModal as sdkLogin,
  openAuthConsoleModal as sdkConsole,
  openAuthIdpModal as sdkIdp,
  signOut as sdkSignOut,
  on,
} from '@bigstrider/transcodes-sdk';

interface AuthContextValue {
  isAuthenticated: boolean;
  isLoading: boolean;
  memberId: string | null;
  openAuthLoginModal: () => Promise<void>;
  openAuthConsoleModal: () => Promise<void>;
  openAuthIdpModal: (params: {
    resource: string;
    action: 'create' | 'read' | 'update' | 'delete';
  }) => Promise<void>;
  signOut: () => Promise<void>;
}

export const AuthContext = createContext<AuthContextValue>({ /* defaults */ } as AuthContextValue);

export function AuthProvider({ children }: { children: ReactNode }) {
  const [isAuth, setIsAuth] = useState(false);
  const [isLoading, setIsLoading] = useState(true);
  const [memberId, setMemberId] = useState<string | null>(null);

  useEffect(() => {
    sdkIsAuthenticated().then((auth) => {
      setIsAuth(auth);
      setIsLoading(false);
    });

    const unsubscribe = on('AUTH_STATE_CHANGED', ({ isAuthenticated, member }) => {
      setIsAuth(isAuthenticated);
      setMemberId(member?.id ?? null);
    });

    return () => unsubscribe();
  }, []);

  return (
    <AuthContext.Provider value={{
      isAuthenticated: isAuth,
      isLoading,
      memberId,
      openAuthLoginModal: async () => {
        const result = await sdkLogin({});
        if (result.success) setMemberId(result.payload[0]?.member?.id ?? null);
      },
      openAuthConsoleModal: async () => { await sdkConsole(); },
      openAuthIdpModal: async (params) => { await sdkIdp(params); },
      signOut: async () => {
        await sdkSignOut();
        setIsAuth(false);
        setMemberId(null);
      },
    }}>
      {children}
    </AuthContext.Provider>
  );
}
```

Wrap your app in `<AuthProvider>` and consume with `use(AuthContext)` in components.

---

## Quick start example (`@bigstrider/transcodes-sdk` — React) — npm FALLBACK

**Generate this only when the user has explicitly chosen the npm SDK.** For the default CDN static path, use the bare `transcodes` global directly (see Quick start example above).

```tsx
// src/App.tsx
'use client'; // Next.js
import { openAuthLoginModal, on, getCurrentMember } from '@bigstrider/transcodes-sdk';
import { useEffect, useState } from 'react';
import type { Member } from '@bigstrider/transcodes-sdk';

export default function App() {
  const [member, setMember] = useState<Member | null>(null);

  useEffect(() => {
    getCurrentMember().then((r) => setMember(r.success ? r.member : null));
    const unsub = on('AUTH_STATE_CHANGED', (p) => setMember(p.member));
    return unsub;
  }, []);

  const handleLogin = async () => {
    const result = await openAuthLoginModal({});
    if (result.success) setMember(result.payload[0].member);
  };

  return member
    ? <p>Hello, {member.email}</p>
    : <button onClick={handleLogin}>Sign in</button>;
}
```

---

## Step-up MFA example (CDN static — DEFAULT)

Use before any sensitive action. This example shows the **default CDN static** flow via the bare `transcodes` global. The npm SDK variant uses named imports (see API 4 above) and should only be used if the user explicitly chose Option B.

**CDN step-up with all mandatory steps:**

```typescript
// CDN step-up implementation
// Resolve resource/action from MCP / Console first. If unavailable, ask the user and stop.
async function deleteUser(userId: string) {
  try {
    const resource = resolvedResource; // resolved via get_resources or explicit user input
    const action = resolvedAction;     // resolved from the protected operation

    // 1. Request step-up verification
    const mfa = await transcodes.openAuthIdpModal({
      resource,
      action,
    });

    // SUCCESS CHECKS before using sid
    if (!mfa.success || !mfa.payload[0]?.success) return;

    // Send session ID to YOUR backend
    const sessionId = mfa.payload[0].sid;
    await fetch(`/api/users/${userId}`, {
      method: 'DELETE',
      headers: {
        Authorization: `Bearer ${await transcodes.token.getAccessToken()}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ sessionId }),
    });
    // YOUR backend calls: GET https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sessionId}
    // with header `x-transcodes-token: <JWT_TOKEN_FROM_TRANSCODES_CONSOLE>` to verify before executing the action.

    // 4. Audit log success
    await transcodes.trackUserAction({
      tag: 'user:delete',
      severity: 'high',
      status: true,
      metadata: { userId },
    });
  } catch (err) {
    // 5. Audit log failure
    await transcodes.trackUserAction({
      tag: 'user:delete',
      severity: 'high',
      status: false,
      error: (err as Error).message,
      metadata: { userId },
    });
  }
}
```

---

## Server-side JWT verification

When you create an Authentication Cluster, you receive a `public_key.json` file (EC P-256 / ES256). Use this key to verify JWTs issued by Transcodes on your server. No JWKS endpoint or remote key fetch is needed.

Flow:
1. Client calls `await getAccessToken()` to get the JWT
2. Client sends the token to your backend via `Authorization: Bearer <token>`
3. Your backend verifies the token locally using `public_key.json`

`public_key.json` format (download from Console → Authentication Cluster):
```json
{
  "kty": "EC",
  "x": "...",
  "y": "...",
  "crv": "P-256",
  "alg": "ES256",
  "kid": "..."
}
```

If you regenerate the public key in the Console, the previous key becomes invalid. Update `public_key.json` on your server immediately.

### Node.js / Next.js (jose)

```typescript
// npm install jose
import { importJWK, jwtVerify, type JWTPayload } from 'jose';

// Paste your public_key.json content here, or import from a file
const TRANSCODES_PUBLIC_JWK = {
  kty: 'EC',
  x: '...',
  y: '...',
  crv: 'P-256',
  alg: 'ES256',
  kid: '...',
};

let _publicKey: Awaited<ReturnType<typeof importJWK>> | null = null;

async function getPublicKey() {
  if (!_publicKey) {
    _publicKey = await importJWK(TRANSCODES_PUBLIC_JWK, 'ES256');
  }
  return _publicKey;
}

async function verifyToken(token: string): Promise<JWTPayload> {
  const publicKey = await getPublicKey();
  const { payload } = await jwtVerify(token, publicKey);
  return payload;
}
```

Express middleware:
```typescript
app.use(async (req, res, next) => {
  const auth = req.headers.authorization;
  if (!auth?.startsWith('Bearer ')) return res.status(401).json({ error: 'No token' });
  try {
    req.member = await verifyToken(auth.slice(7));
    next();
  } catch {
    res.status(401).json({ error: 'Invalid or expired token' });
  }
});
```

Next.js middleware / route handler:
```typescript
import { importJWK, jwtVerify, type JWTPayload } from 'jose';
import { NextRequest, NextResponse } from 'next/server';

const TRANSCODES_PUBLIC_JWK = { /* paste public_key.json */ };

let _publicKey: Awaited<ReturnType<typeof importJWK>> | null = null;
async function getPublicKey() {
  if (!_publicKey) _publicKey = await importJWK(TRANSCODES_PUBLIC_JWK, 'ES256');
  return _publicKey;
}

export async function verifyAuth(req: NextRequest): Promise<{ payload: JWTPayload } | NextResponse> {
  const authHeader = req.headers.get('authorization');
  if (!authHeader?.startsWith('Bearer ')) {
    return NextResponse.json({ error: 'No token' }, { status: 401 });
  }
  try {
    const publicKey = await getPublicKey();
    const { payload } = await jwtVerify(authHeader.slice(7), publicKey);
    return { payload };
  } catch {
    return NextResponse.json({ error: 'Invalid or expired token' }, { status: 401 });
  }
}
```

### Python (PyJWT)

```python
# pip install pyjwt cryptography
import jwt

PUBLIC_KEY_JWK = {
    "kty": "EC",
    "x": "...",
    "y": "...",
    "crv": "P-256",
    "alg": "ES256",
    "kid": "...",
}

_public_key = jwt.algorithms.ECAlgorithm.from_jwk(PUBLIC_KEY_JWK)

def verify_token(token: str) -> dict:
    return jwt.decode(token, _public_key, algorithms=["ES256"])
```


## CSP (Content Security Policy)

At minimum, allow the CDN for the SDK script. The exact API domains for `connect-src` and `frame-src` are listed in your Transcodes Console → Authentication Cluster → Installation Guide.

```html
<meta
  http-equiv="Content-Security-Policy"
  content="
    script-src  'self' https://cdn.transcodes.link;
    connect-src 'self' {TRANSCODES_API_DOMAINS};
    frame-src   'self' {TRANSCODES_API_DOMAINS};
  "
/>
```

---

## Release Checklist

Use this checklist before outputting final code:

0. **Integration method = CDN static** — `<script src="…/webworker.js" defer></script>` in HTML `<head>`, plus `<link rel="manifest">` for PWA, plus `public/sw.js` (one-line `importScripts`). The script tag has `defer` only — **no `type="module"`, no `crossorigin`, no `async`**. The npm SDK (`@bigstrider/transcodes-sdk`) is used **only** if the user explicitly opted out of CDN static.
0a. **`transcodes.d.ts` is installed AND `tsconfig.json` is wired** for any TypeScript project on the CDN static path. All three sub-steps must be done — verify, do not assume:
    - `transcodes.d.ts` exists in the repo (e.g. `types/transcodes.d.ts`). If it was missing, you fetched it from `https://www.transcodes.io/instructions/types` (not from memory).
    - `tsconfig.json` includes the directory in **both** `include` AND `typeRoots`. **Skipping this is a guaranteed compile error.**
    - `npx tsc --noEmit` passes (or the project's equivalent type-check command).
0b. **No `init()` call** on the CDN static path. (`init({ projectId })` appears only in confirmed npm fallback code.)
1. `projectId`, JWT issuer, and server-side Transcodes token (`x-transcodes-token`) are resolved or explicitly requested from the user.
2. Only the canonical modal APIs are used:
   - `openAuthLoginModal({ webhookNotification? })`
   - `openAuthConsoleModal()`
   - `openAuthIdpModal({ resource, action, forceStepUp?, webhookNotification? })`
3. All async SDK methods use `await`.
4. Every modal result checks outer `result.success` before reading `payload`.
5. `openAuthIdpModal()` checks both outer `result.success` and inner `result.payload[0]?.success` before using `sid`.
6. Step-up flows send `sessionId` to the app backend, and the backend verifies it with:
   - `GET https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sessionId}`
   - header `x-transcodes-token: <JWT_TOKEN_FROM_TRANSCODES_CONSOLE>` (server-only JWT issued from the Console; different from `TRANSCODES_TOKEN` used by MCP)
7. Protected modals are preceded by `await isAuthenticated()`.
8. Event subscriptions return and use `unsubscribe` on cleanup.
9. Audit log tags use `entity:action` format.
10. Sensitive operations log both success and failure.
11. `resource` is resolved via `get_resources` or explicit user input; never guessed.
12. Final code contains no unresolved placeholders.

---

## [Agent Rule — .transcodes Integration Record]

### After completing Transcodes frontend integration

When the initial installation and configuration of Transcodes is finished, **you MUST create a `.transcodes/` folder** in the project root and generate a documentation file that records how each Transcodes API was used.

**Create:** `.transcodes/integration.md`

The file must contain:

1. **Project info** — Project ID, integration method (`CDN static` is the default; record `npm` only if the user explicitly chose it), framework
2. **openAuthLoginModal** — where it is called, which component/page, any options used (e.g. `webhookNotification`)
3. **openAuthConsoleModal** — where it is called, which component/page
4. **openAuthIdpModal** — where it is called, which `resource` and `action` values were used, whether `forceStepUp` is enabled
5. **Transcodes MCP** — if used: which tools (e.g. members, roles, audit logs), and how the project is configured
6. **trackUserAction** — every call site, the `tag` used, `severity`, what `metadata` is passed
7. **Events** — which events are subscribed to (`AUTH_STATE_CHANGED`, `TOKEN_EXPIRED`, etc.) and where
8. **Server-side** — whether JWT verification is implemented, which endpoint, which library

Format each entry as a table or bullet list with: **file path**, **function/component name**, **parameters**, and **purpose**.

Example structure:

```
# Transcodes Integration Record

## Project
- Project ID: proj_abc123
- Method: CDN static (`<script defer>` + `transcodes.d.ts`)
- Framework: Next.js 15 App Router
- TypeScript: `types/transcodes.d.ts` created from https://www.transcodes.io/instructions/types; `tsconfig.json` updated (`include` + `typeRoots` both contain `./types`); `npx tsc --noEmit` passes.

## openAuthLoginModal
| File | Component | Options | Purpose |
|------|-----------|---------|---------|
| src/app/components/LoginButton.tsx | LoginButton | webhookNotification: true | Main login flow |

## openAuthConsoleModal
| File | Component | Purpose |
|------|-----------|---------|
| src/app/components/SettingsButton.tsx | SettingsButton | Member self-service (passkey, TOTP, profile) |

## openAuthIdpModal
| File | Component | resource | action | Purpose |
|------|-----------|----------|--------|---------|
| src/app/admin/DeleteUser.tsx | DeleteUserButton | users | delete | Step-up before user deletion |

## trackUserAction
| File | tag | severity | metadata keys | Purpose |
|------|-----|----------|---------------|---------|
| src/app/admin/DeleteUser.tsx | user:delete | high | userId | Audit log for user deletion |
| src/app/payments/Checkout.tsx | payment:process | high | amount, currency | Payment audit trail |
```

### Before modifying an existing Transcodes integration

**[Agent Rule — always read .transcodes first]** When the user asks to modify, refactor, or extend any Transcodes integration code, **you MUST read `.transcodes/integration.md` BEFORE making any changes.** This file is the single source of truth for how the integration is wired. Use it to:

- Understand which APIs are used and where
- Avoid breaking existing call sites
- Keep the documentation in sync — **update `.transcodes/integration.md` after every change**

If `.transcodes/integration.md` does not exist yet, create it by scanning the codebase for all Transcodes API call sites first.

---

## Browser support

| Browser | Minimum |
| ------- | ------- |
| Chrome  | 67+     |
| Safari  | 14+     |
| Firefox | 60+     |
| Edge    | 79+     |

WebAuthn requires **HTTPS** in production. `localhost` / `127.0.0.1` work for development.

---

## Scope: Transcodes vs Your App

| Transcodes SDK handles              | Your app should implement               |
| ----------------------------------- | --------------------------------------- |
| Passkey credential storage          | XSS / CSRF protection                   |
| JWT issuance and refresh            | Application-level authorization logic   |
| WebAuthn ceremony (challenge/verify)| Server-side JWT verification            |
| UI modals (login, console, step-up) | HTTPS in production                     |
| Token memory management             | Rate limiting on your API               |

### Recommended frontend implementations

**XSS Protection:**
- Sanitize user input before rendering (`DOMPurify` or framework-native escaping)
- Set `Content-Security-Policy` headers (see CSP section above)
- Avoid `innerHTML` / `dangerouslySetInnerHTML` with untrusted data

**CSRF Protection:**
- Use `SameSite=Strict` or `SameSite=Lax` on cookies
- Add CSRF tokens on state-mutating requests if using cookie-based sessions
- Transcodes JWT is stored in memory (not cookies), so XSS is the primary vector to guard against

**HTTPS:**
- Required for WebAuthn in production (`localhost` is exempt for development)
- Use reverse proxy (nginx, Cloudflare, Vercel) or platform-managed TLS

**Rate Limiting:**
```typescript
// Example: express-rate-limit
import rateLimit from 'express-rate-limit';

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100,                  // 100 requests per window per IP
});

app.use('/api/', limiter);
```

---

## Links

- [Full docs](https://www.transcodes.io/docs)
- [MCP Server Setup](https://www.transcodes.io/docs/mcp-server)
- [API Reference](https://www.transcodes.io/docs/api-reference)
- [Quick Integration](https://www.transcodes.io/docs/quick-integration)
- [Console](https://app.transcodes.io)

---

## Video Tutorials

**[Agent Instruction for Videos]** Append the relevant video link when generating complex setups.

### General Setup & Demos
- **Organization & Project Creation**
  - **Description**: Shows how to create an organization and a project from the Transcodes Console.
  - **When to show**: When the user is just starting out, asks how to create an account, or needs to set up their first workspace.
  - **Link**: [Watch Video](https://player.mux.com/wS301Khp4BQzGhcNGqeRcDRtDqN600HdEXThbIIqTSK8w?metadata-video-title=getting_started&video-title=getting_started)
- **Creating Auth & PWA Clusters**
  - **Description**: Demonstrates how to create and configure Authentication and PWA clusters within a project.
  - **When to show**: When the user asks how to enable auth/PWA, or is stuck on the "Console prerequisite" step.
  - **Link**: [Watch Video](https://player.mux.com/74dnHn2e8BRKw99r1nCH7qG7YasJjDdaeXYezgdWqBY?metadata-video-title=project_setup_node&video-title=project_setup_node)
- **Official Authentication Demo**
  - **Description**: A complete walkthrough of the Transcodes authentication flow (passkey, step-up MFA) from an end-user perspective.
  - **When to show**: When the user asks "what does the login look like?" or wants to see the final product in action.
  - **Link**: [Watch Video](https://player.mux.com/c9GY3lWAi2E3gZzLkolhil87rg28S8dfA1SLBSc8N00k?metadata-video-title=official_demo_complete&video-title=official_demo_complete)
- **Official PWA Demo**
  - **Description**: Shows the PWA installation process and how the app looks when installed on a device.
  - **When to show**: When the user asks "how does the PWA install work?" or wants to see the PWA UX.
  - **Link**: [Watch Video](https://player.mux.com/PA00U9vVASatqGU3iw5sFemijDKi1vskPFUjWmoXx902Q?metadata-video-title=getting_started_pwa&video-title=getting_started_pwa)

### Authentication Kit
- **Customizing Modal Branding**
  - **Description**: How to change the logo, colors, and styling of the authentication modals via the Console.
  - **When to show**: When the user asks how to change the modal color, add their logo, or customize the UI.
  - **Link**: [Watch Video](https://player.mux.com/DbWrDD5TOC17mH2POv1Ib01Azez2fZobXDMmElMXDhbY?metadata-video-title=auth_branding&video-title=auth_branding)
- **Setting up RBAC (Role-Based Access Control)**
  - **Description**: How to define roles, permissions, and assign them to members in the Console.
  - **When to show**: When the user asks about role-based access control, how to restrict access, or how roles map to permissions in the Console.
  - **Link**: [Watch Video](https://player.mux.com/1RDl5VEY602DNguYqjVDK6PaQ00B9CD01yDcYD6HiF5mi8?metadata-video-title=auth_rbac&video-title=auth_rbac)
- **Configuring Webhooks**
  - **Description**: How to set up Slack/Discord webhooks to get notified on user logins or actions.
  - **When to show**: When the user asks about notifications, Slack integrations, or webhook parameters in the API.
  - **Link**: [Watch Video](https://player.mux.com/YeyzMIwwN800v9zYVc8dKKrvCTy02EJ713mZJfZ1soBnw?metadata-video-title=auth_webhook&video-title=auth_webhook)
- **Viewing Audit Logs**
  - **Description**: How to view and filter user action logs in the Transcodes Console.
  - **When to show**: When the user asks where to see the logs generated by `trackUserAction` or wants to monitor user activity.
  - **Link**: [Watch Video](https://player.mux.com/HK00WvGEok500415CmQ7TavCStVG3t3YgNHNih8K02Z9028?metadata-video-title=auth_audit&video-title=auth_audit)
- **Server-side Auth (JWT Verification)**
  - **Description**: How to verify Transcodes JWTs on a backend server using `public_key.json` (ES256 / `jose`).
  - **When to show**: When the user asks how to protect their backend API or verify tokens server-side.
  - **Link**: [Watch Video](https://player.mux.com/qtgRGW1DB006D6JTNYIyWy01uGy014YXOufbCUYr00p1oZ4?metadata-video-title=auth_json&video-title=auth_json)
- **Authentication Backup Methods**
  - **Description**: Setting up fallback authentication methods (like email or TOTP) when passkeys aren't available.
  - **When to show**: When the user asks "what if the user loses their passkey?" or wants to enable email/TOTP login.
  - **Link**: [Watch Video](https://player.mux.com/I4OctRguqJvaqRFE9uL6oQTIjZNBWqhrBpNzFfkJJO4?metadata-video-title=auth_backup&video-title=auth_backup)

### PWA / Web App Kit
- **PWA & Auth CDN static Installation (index.html)**
  - **Description**: How to add `<link rel="manifest">` + native `<script src="…/webworker.js" defer></script>` in `<head>` (React SPA and Next.js — no `next/script`, no `type="module"`, no `crossorigin`); fetch **https://www.transcodes.io/instructions/types**, save as `transcodes.d.ts`, wire `tsconfig.json`; the CDN static path needs no `init()`.
  - **When to show**: When the user is setting up the default CDN static integration or asks where to put the script tag.
  - **Link**: [Watch Video](https://player.mux.com/PQCWSkHiBYjhWkJXlsHu7w5Ha9U2oWnDGtAjbaCo1Go?metadata-video-title=pwa_auth_installation&video-title=pwa_auth_installation)
- **PWA Installation Simulation**
  - **Description**: Simulates the user experience of installing the PWA.
  - **When to show**: When the user wants to understand the install prompt flow.
  - **Link**: [Watch Video](https://player.mux.com/HAp2zjaue756ndCwdQ02PsJGjZk01Ft75r101hhDSeE93Y?metadata-video-title=pwa_installation&video-title=pwa_installation)
- **Rich Install Screenshots Setup**
  - **Description**: How to upload and configure screenshots that appear in the PWA install prompt.
  - **When to show**: When the user asks how to add images to the install prompt or configure rich install UI.
  - **Link**: [Watch Video](https://player.mux.com/blZ00ZnVCN00RMow02DL4fMwCBTdjSXNtJRPbO7jEFm4jU?metadata-video-title=pwa_screenshot&video-title=pwa_screenshot)
- **Widget Component Configuration**
  - **Description**: How to configure the floating PWA install widget.
  - **When to show**: When the user asks about the install button or widget configuration.
  - **Link**: [Watch Video](https://player.mux.com/QfE008xqjTzHLjoGabizmqU00fdb7ZGrwve1QgpFeJU6g?metadata-video-title=pwa_widget&video-title=pwa_widget)
- **Manifest Configuration**
  - **Description**: How to set up the PWA manifest details (name, short name, theme color, display mode) in the Console.
  - **When to show**: When the user asks how to change the app name, colors, or display settings for the PWA.
  - **Link**: [Watch Video](https://player.mux.com/JEm5F02GQfAWlNWxujqt8B9ScTXSCvs00RzraM9YHF01Ds?metadata-video-title=pwa_configuration&video-title=pwa_configuration)
- **Custom Icon Setup**
  - **Description**: How to upload a base icon and have Transcodes automatically generate all required manifest icon sizes.
  - **When to show**: When the user asks how to set the app icon for the home screen.
  - **Link**: [Watch Video](https://player.mux.com/W2Gs4TJThlEkOW3m017RtP00ZsbkP01ZP6y7JoCrkTe5no?metadata-video-title=pwa_icon&video-title=pwa_icon)
- **PWA Cache Settings**
  - **Description**: How to configure offline caching strategies via the Transcodes Console.
  - **When to show**: When the user asks about offline support or caching static assets.
  - **Link**: [Watch Video](https://player.mux.com/39ieyO856vgEacy0136q3qHEQEEQaokRl9vgPS8hizgE?metadata-video-title=pwa_cache&video-title=pwa_cache)

---

# Troubleshooting

Use this section when something is not working. Each entry maps **symptom → cause → fix**.

---

## PWA / sw.js

### GET /sw.js → 404
- **Cause**: `public/sw.js` does not exist in the repo, but the browser is requesting it because Transcodes PWA wiring is (or was) active.
- **Diagnosis**: Check if `public/sw.js` is present. Check browser DevTools → Application → Service Workers for stale registrations.
- **Fix**: Create `public/sw.js` with exactly one line:
  ```javascript
  importScripts('https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/sw.js');
  ```
- **If PWA is not needed**: Remove `<link rel="manifest">` and `<script … webworker.js>` from `<head>`. Clear stale SW via DevTools → Application → Service Workers → Unregister.

### PWA install prompt never appears
- **Cause 1**: `public/sw.js` is missing → browser cannot register the service worker.
- **Cause 2**: `<link rel="manifest">` is missing from `<head>`.
- **Cause 3**: Site is not served over HTTPS (required for WebAuthn / PWA).
- **Fix**: Confirm all three: manifest link in `<head>`, `sw.js` served at `/sw.js`, HTTPS in production.

### manifest.json → 404
- **Cause**: Using a local `manifest.json` path that does not exist instead of the CDN URL.
- **Fix**: Use `href="https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/manifest.json"` — do not create a local file.

---

## SDK loading (CDN static)

### Should I use the npm SDK instead?
- **Default answer: NO.** Use CDN static (`<script src="…/webworker.js" defer></script>` in `<head>` + `transcodes.d.ts`). The npm SDK is a fallback used only when the user explicitly opts out of CDN static — for example, an environment with no controllable HTML `<head>`.
- **If you already wired npm without asking**: Switch to CDN static unless the user has confirmed they need npm.

### `window.transcodes` is undefined
- **Cause 1**: `<script src=".../webworker.js" defer>` is missing from `<head>` — or placed in `<body>` after scripts that depend on it.
- **Cause 2**: Code accessed `window.transcodes` before the deferred script finished executing. Deferred scripts run after HTML parsing but before `DOMContentLoaded`.
- **Cause 3**: The script was loaded with the wrong attributes — e.g. `type="module"`, `async`, or wrapped in Next.js `<Script>`. Use **plain `<script src defer>`** only.
- **Cause 4**: Next.js `<Script strategy="beforeInteractive">` or any framework loader was used instead of a native `<script>` in `<head>`.
- **Fix**: Place exactly `<script src="https://cdn.transcodes.link/{RESOLVED_PROJECT_ID}/webworker.js" defer></script>` inside `<head>`. Gate usage on `window.transcodes` existing, on `DOMContentLoaded`, or subscribe to `AUTH_STATE_CHANGED` instead of reading on load.

### `ReferenceError: transcodes is not defined` (or `window is not defined`) on the server
- **Symptom**: Build/runtime error during Next.js SSR/RSC, Remix loader, Astro SSR, SvelteKit prerender, or `next build` — the stack trace points at `transcodes.*` or `window.transcodes.*`.
- **Cause**: The SDK call ran in a server context (Node) where neither the `transcodes` global nor `window` exists. Common triggers:
  - Bare `transcodes.token.isAuthenticated()` at the top of a `'use client'` file (still rendered on the server during SSR pass).
  - SDK call in a Server Component / RSC body.
  - SDK call in `getServerSideProps`, `getStaticProps`, Remix `loader` / `action`, SvelteKit `+page.server.ts`, or Astro frontmatter.
  - SDK call in module top-level of any file imported by an SSR route.
- **Why TypeScript missed it**: `transcodes.d.ts` declares `var transcodes: Window['transcodes']` as always-present. The type system has no way to know the global is missing on the server.
- **Fix**:
  - **Move the call into a browser-only path** — `useEffect`, `useLayoutEffect`, an event handler, or a post-mount callback.
  - **Or guard the call**: `if (typeof window !== 'undefined' && window.transcodes) { ... }` — works in module top-level too.
  - For Next.js, ensure the file starts with `'use client'` AND the call is inside `useEffect` (not the render body).
  - See **Framework-specific access pattern** for the per-framework matrix.

### Script tag has `type="module"` or `crossorigin` / `crossOrigin`
- **Cause**: Old documentation or muscle memory from the prior recommendation.
- **Fix**: Remove both attributes. The canonical tag is `<script src="…/webworker.js" defer></script>` — `defer` is the only attribute besides `src`.

### TypeScript compile error: `Property 'transcodes' does not exist on type 'Window & typeof globalThis'`
- **Cause A**: `transcodes.d.ts` is not in the repo at all. **This file is mandatory for the CDN static path — you must create it if it is missing.**
- **Cause B**: `transcodes.d.ts` exists, but `tsconfig.json` was never edited, so the compiler does not pick it up.
- **Cause C**: `tsconfig.json` was edited but the directory is on `typeRoots` only OR `include` only — both are required.
- **Fix (sequence — execute every step, do not skip)**:
  1. `mkdir -p types && curl -o types/transcodes.d.ts https://www.transcodes.io/instructions/types`
  2. Edit `tsconfig.json` so `types` appears in **both** `include` AND `typeRoots`:
     ```jsonc
     {
       "compilerOptions": { "typeRoots": ["./node_modules/@types", "./types"] },
       "include": ["src", "types"]
     }
     ```
  3. `npx tsc --noEmit` — if the error is gone, you are done.
- See **CDN TypeScript setup** for the canonical procedure.

### TypeScript error: `window.transcodes` has no type / implicit `any` (non-strict mode)
- **Cause**: Same as above (missing `transcodes.d.ts` or unedited `tsconfig.json`). Without `strict`/`noImplicitAny` the compiler does not crash, but every SDK call site falls back to `any` — you lose autocomplete and type checks.
- **Fix**: Same 3-step sequence as the compile error above.

### `init is not a function` or calling `init()` breaks the CDN static flow
- **Cause**: `init()` is only for the `@bigstrider/transcodes-sdk` (npm) fallback path. The CDN static path bootstraps automatically — `init()` must NOT be called.
- **Fix**: Remove the `init()` call. Confirm the integration is CDN static (a `<script src defer>` in `<head>`), not npm.

---

## Authentication modals

### Modal does not open / nothing happens
- **Cause 1**: `await` missing — `openAuthLoginModal({})` returns a Promise; without `await` it silently resolves.
- **Cause 2**: `isAuthenticated()` missing `await` — always returns a truthy Promise object, so the auth guard short-circuits.
- **Fix**: Always `await` every SDK async method.

### `result.success` is false after login
- **Cause**: User cancelled the modal, or auth failed.
- **Fix**: Check `result.success` before accessing `result.payload`. Do not access `payload` when `success` is false.

### `openAuthIdpModal` returns `success: false`
- **Cause 1**: The member's role has permission `0` (deny) for the given `resource` + `action` in the Console permission matrix.
- **Cause 2**: `resource` or `action` string does not match any key in Console → RBAC → Resources.
- **Fix**: Console → RBAC → Permission Matrix → set the cell for the role × resource × action to `1` (allow) or `2` (allow + step-up). Use `get_resources` via MCP to verify the exact resource key.

### Step-up session verification fails on the backend
- **Cause**: Client is sending `sessionId` directly to Transcodes instead of to its own backend, or the backend is not calling `GET https://api.transcodesapis.com/v1/auth/temp-session/step-up/{sid}` with header `x-transcodes-token`.
- **Fix**: Flow must be: client → own backend (with `sid`) → own backend calls Transcodes API with `x-transcodes-token: <AUTH_API_TOKEN>`. Never verify step-up on the client side.

---

## JWT / server-side

### JWT verification error: "algorithm not supported" or "invalid signature"
- **Cause**: Using `RS256` / `jwks-rsa` / `jsonwebtoken` instead of `ES256` / `jose` + `public_key.json`.
- **Fix**: Install `jose`. Use `importJWK(PUBLIC_JWK, 'ES256')` + `jwtVerify`. The key comes from `public_key.json` downloaded from Console → Authentication Cluster.

### JWT verification error: "key not found" or "kid mismatch"
- **Cause**: `public_key.json` was regenerated in the Console but the server still uses the old key.
- **Fix**: Download the new `public_key.json` from Console → Authentication Cluster → copy/download. Update `TRANSCODES_PUBLIC_JWK` on the server and redeploy.

### `getAccessToken()` returns `null`
- **Cause**: No active session — user has not logged in, or token has expired and refresh failed.
- **Fix**: Call `isAuthenticated()` first. If false, call `openAuthLoginModal({})`. Never assume a token exists without checking.

### `getCurrentMember()` returns `{ success: false, error: 'unauthenticated' }`
- **Cause**: No active session.
- **Fix**: Establish a session via `openAuthLoginModal({})` first.

### `getCurrentMember()` returns `{ success: false, error: 'revoked' }`
- **Cause**: The member account has been suspended in the Console.
- **Fix**: Console → Members → find member → lift suspension. Or handle gracefully by signing the user out.

---

## RBAC

### Role names — where do exact strings come from?
- **MCP available**: Call `get_roles` via Transcodes MCP → use the returned role name strings exactly (for Console configuration, permission matrix, and MCP tools).
- **MCP not available**: Console → RBAC → Roles → copy exact names.
- **Never invent** role names.

### `resource` / `action` — where do I get the values?
- **MCP available**: Call `get_resources` via Transcodes MCP → use the returned `resource_key` strings exactly.
- **MCP not available**: Console → RBAC → Resources → copy exact keys. Ask the user which resource + action maps to the sensitive operation.

---

## CSP / network errors

### SDK script blocked by CSP
- **Symptom**: Console error `Refused to load script … because it violates the following Content Security Policy directive`.
- **Fix**: Add `https://cdn.transcodes.link` to `script-src`. Also add the API domains to `connect-src` and `frame-src` — exact values are in Console → Authentication Cluster → Installation Guide.

### Transcodes API calls blocked (CORS / network)
- **Cause**: `connect-src` in CSP does not include the Transcodes API domain.
- **Fix**: Add the Transcodes API domain from Console → Authentication Cluster → Installation Guide to `connect-src`.

---

## Documentation Site Map

The full Transcodes documentation is available at https://www.transcodes.io/docs. Below is every page organized by category.

### Introduction
- https://www.transcodes.io/docs/introduction — Overview of Transcodes
- https://www.transcodes.io/docs/introduction/how-it-works — How Transcodes works
- https://www.transcodes.io/docs/introduction/why-transcodes — Why choose Transcodes
- https://www.transcodes.io/docs/introduction/architecture — System architecture

### LLM Context
- https://www.transcodes.io/docs/llm-context — AI/LLM integration context and instructions

### Complete Guide & MCP Server
- https://www.transcodes.io/docs/mcp-server — Complete guideline for setting up projects & MCP server setup for Claude, Cursor, Codex

### Quick Integration
- https://www.transcodes.io/docs/quick-integration — Quick start overview
- https://www.transcodes.io/docs/quick-integration/react — React integration
- https://www.transcodes.io/docs/quick-integration/nextjs — Next.js integration
- https://www.transcodes.io/docs/quick-integration/vue — Vue.js integration
- https://www.transcodes.io/docs/quick-integration/vanilla — Vanilla JS integration

### Demonstrations
- https://www.transcodes.io/docs/demonstration — Demo overview
- https://www.transcodes.io/docs/demonstration/passkey-login — Passkey login flow
- https://www.transcodes.io/docs/demonstration/passkey-login/create-project — Create project
- https://www.transcodes.io/docs/demonstration/passkey-login/import-cdn — Import CDN
- https://www.transcodes.io/docs/demonstration/passkey-login/call-login-modal — Call login modal
- https://www.transcodes.io/docs/demonstration/passkey-login/listen-state — Listen to auth state
- https://www.transcodes.io/docs/demonstration/passkey-login/server-side — Server-side verification
- https://www.transcodes.io/docs/demonstration/passkey-login/console-panel — Console panel
- https://www.transcodes.io/docs/demonstration/stepup-mfa — Step-up MFA flow
- https://www.transcodes.io/docs/demonstration/stepup-mfa/prerequisites — Prerequisites
- https://www.transcodes.io/docs/demonstration/stepup-mfa/import-cdn — Import CDN
- https://www.transcodes.io/docs/demonstration/stepup-mfa/call-mfa-modal — Call MFA modal
- https://www.transcodes.io/docs/demonstration/stepup-mfa/handle-mfa-response — Handle MFA response
- https://www.transcodes.io/docs/demonstration/history-log — History log
- https://www.transcodes.io/docs/demonstration/history-log/step-1-basics — Step 1: Basics
- https://www.transcodes.io/docs/demonstration/history-log/step-2-passkey-events — Step 2: Passkey events
- https://www.transcodes.io/docs/demonstration/history-log/step-3-mfa-events — Step 3: MFA events

### Web App Cluster
- https://www.transcodes.io/docs/web-app-cluster — Overview
- https://www.transcodes.io/docs/web-app-cluster/installation-guide — Installation guide
- https://www.transcodes.io/docs/web-app-cluster/configuration — Configuration
- https://www.transcodes.io/docs/web-app-cluster/app-icons — App icons
- https://www.transcodes.io/docs/web-app-cluster/widget — Widget
- https://www.transcodes.io/docs/web-app-cluster/screenshots — Screenshots
- https://www.transcodes.io/docs/web-app-cluster/cache-strategy — Cache strategy
- https://www.transcodes.io/docs/web-app-cluster/surveillance — Surveillance

### Authentication Cluster
- https://www.transcodes.io/docs/authentication-cluster — Overview
- https://www.transcodes.io/docs/authentication-cluster/installation-guide — Installation guide
- https://www.transcodes.io/docs/authentication-cluster/branding — Branding customization
- https://www.transcodes.io/docs/authentication-cluster/rbac — Role-based access control
- https://www.transcodes.io/docs/authentication-cluster/audit-logs — Audit logs
- https://www.transcodes.io/docs/authentication-cluster/configuration — Configuration
- https://www.transcodes.io/docs/authentication-cluster/step-up-session — Step-up session
- https://www.transcodes.io/docs/authentication-cluster/webhook — Webhook integration
- https://www.transcodes.io/docs/authentication-cluster/backup — Backup methods
- https://www.transcodes.io/docs/authentication-cluster/json-web-key — JSON Web Key
- https://www.transcodes.io/docs/authentication-cluster/api-token — API token (`x-transcodes-token`) for HTTP APIs
- https://www.transcodes.io/docs/authentication-cluster/multi-org — Multi-organization

### API Reference
- https://www.transcodes.io/docs/api-reference — Overview
- https://www.transcodes.io/docs/api-reference/token — Token API
- https://www.transcodes.io/docs/api-reference/member — Member API
- https://www.transcodes.io/docs/api-reference/events — Events API
- https://www.transcodes.io/docs/api-reference/modal — Modal API
- https://www.transcodes.io/docs/api-reference/audit — Audit API
- https://www.transcodes.io/docs/api-reference/init-config — Init & config
- https://www.transcodes.io/docs/api-reference/types — TypeScript types