Deploying Your App
A few things to keep in mind when transitioning from local testing to a deployed application.
When preparing to deploy your application that uses Passage, there a few things to keep in mind to ensure that your application works as intended and is properly secured with Passage.
Passage requires TLS and will not work properly over insecure HTTP connections. At a protocol level, the biometric login with Passage requires HTTPS. Additionally, the cookies used for the authentication checks are set to be
securecookies, which will not get set on insecure domains to prevent session-related security vulnerabilities.
Browsers all allow an exception for localhost (for both the
securecookies and the biometrics login) to enable easy local testing. Passage recommends adding TLS to your website and updating your application's authentication origin to match in the Console.
API Keys are critical for the security of using Passage, as they grant full access to the management functionality of your users. When deploying your application to a new environment, we recommend generating a new API Key and storing it in your system's secrets storage.