Deploying Your App

When preparing to deploy your application that uses Passage, there a few things to keep in mind to ensure that your application works as intended and is properly secured with Passage.

1. HTTPS

Passage requires TLS and will not work properly over insecure HTTP connections. At a protocol level, the biometric login with Passage requires HTTPS. Additionally, the cookies used for the authentication checks are set to be secure cookies, which will not get set on insecure domains to prevent session-related security vulnerabilities.

Browsers all allow an exception for localhost (for both the secure cookies and the biometrics login) to enable easy local testing. Passage recommends adding TLS to your website and updating your application's authentication origin to match in the Console.

2. Securing API Keys

API Keys are critical for the security of using Passage, as they grant full access to the management functionality of your users. When deploying your application to a new environment, we recommend generating a new API Key and storing it in your system's secrets storage.