Security Guide

Security Best Practices

Essential guidelines for implementing okID verification securely. Protect your users and maintain compliance.

Critical: Never expose API keys in client-side code. All API keys should be stored securely on your server and never sent to the browser.

API Key Security

Remember: okID uses a three-tier architecture. Your API key is stored on the frontend server, not in your application code. You never need to handle API keys directly.

Store keys in environment variables

Configure your frontend server with API keys via environment variables, not hardcoded values

API_KEY=your-key-here

Use secure key storage in production

Use platform-specific secret management services:

• AWS Secrets Manager
• Azure Key Vault
• Google Secret Manager
• HashiCorp Vault

Rotate API keys regularly

Establish a key rotation policy and update keys every 90 days

Never commit keys to version control

Add .env files to .gitignore and use tools like git-secrets to prevent accidental commits

Server Security

Authentication & Authorization

Implement proper authentication before generating verification IDs

// Verify user is authenticated const user = await authenticateUser(req); if (!user) { return res.status(401).json({ error: 'Unauthorized' }); }

Track verification attempts per user to prevent abuse

Log all verification generation requests for audit trails

Rate Limiting

Implement rate limiting on verification endpoints

// Example with express-rate-limit const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5, // 5 requests per window message: 'Too many verification attempts' }); app.use('/api/generate-verification', limiter);

Consider stricter limits for unauthenticated requests

HTTPS & TLS

Always use HTTPS in production (required for camera access)

Use TLS 1.2 or higher for all API communications

Implement HSTS headers to enforce HTTPS

Data Privacy & GDPR

Ensure compliance with data protection regulations when handling user verification data.

Minimize data collection

Only collect and store verification data necessary for your use case

Implement data retention policies

Set up automatic deletion of verification data after the required period

Provide user consent mechanisms

Use the Terms module to collect explicit consent for data processing

Enable data portability

Provide mechanisms for users to request their verification data

Respect right to erasure

Implement processes to delete user data upon request

Note: okID handles the secure storage of biometric data. Your responsibility is to manage the verification IDs and any additional data you collect.

Frontend Security

Validate verification results server-side

Never trust client-side verification status. Always validate on your server

// Bad: Trusting client if (clientSaysVerified) { grantAccess(); } // Good: Server validation const isValid = await validateVerification(verificationId); if (isValid) { grantAccess(); }

Implement Content Security Policy (CSP)

Add CSP headers to prevent XSS attacks and control resource loading

Use Subresource Integrity (SRI)

When loading SDK from CDN, use SRI to ensure file integrity

Sanitize error messages

Don't expose sensitive information in error messages shown to users

Security Checklist

API keys stored securely on frontend serverHTTPS enabled for all production endpointsRate limiting implemented on verification endpointsUser authentication required for verification generationServer-side validation of verification resultsData retention policies implementedGDPR compliance measures in placeSecurity headers configured (CSP, HSTS, etc.)Regular security audits scheduled