Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 1 addition & 16 deletions agent-platform/sdk/sdk-end-to-end-auth-setup.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -1309,19 +1309,4 @@ Minimum evidence for each selected production scenario:
| WebSocket fails after init succeeds | Browser bundle is old or Redis/ticket store is unavailable. | Use SDK with `sdk-ticket` support and verify Redis Runtime config. |
| `jwe_required` fails closed | Runtime JWE capability is unavailable. | Verify `ENCRYPTION_MASTER_KEY`, `AUTH_SDK_JWE_ENABLED`, and capability route readiness. |

## Security Review Notes

- Public anonymous SDK is not a high-assurance flow. Treat any browser-provided
`userContext` as unverified.
- Runtime-signed Hosted Exchange sends secure attributes to Runtime during
`/api/v1/sdk/customer-sessions`. Use it only when that server-to-server API
call is approved.
- Customer-issued shared-secret JWE avoids the Runtime minting API call but uses
shared scoped secret material on both sides.
- Customer-issued public-key JWE avoids the Runtime minting API call, avoids a
shared encryption secret on the customer side, and provides explicit issuer
authentication through the inner JWS.
- In all Hosted Exchange modes, Runtime still issues the canonical SDK session
token after bootstrap. The customer-issued token is bootstrap-only.
- Do not store sensitive data in logs, URLs, local storage, WebSocket protocols,
or analytics metadata.
---
Loading