Skip to Content

Frequently asked questions

Does the SDK store biometric data on the client?

No. The captured frame is uploaded and discarded; only a synthesised per-origin client identifier persists in localStorage for audit attribution.

Can I run this in React Native, Cordova, or Capacitor?

No. The SDK depends on browser-only APIs — MediaDevices, Worker, <canvas>, and the WebAssembly streaming compiler. Use the platform’s native biometric SDK on mobile.

Why does my token keep expiring?

The SDK sends a short-lived Keycloak bearer token minted by your backend. Short TTLs are expected — the SDK re-requests a fresh token via getToken() whenever the backend returns a 401, so your provider should always be ready to hand back a current token. If tokens expire mid-flow, make sure your backend broker returns a valid, unexpired token each time getToken() is called (cache and refresh on your side). See Authentication.

Does the SDK work in an iframe?

Yes, with two caveats:

  • The parent page’s CSP must allow camera access. Specifically, the iframe needs allow="camera" on its <iframe> tag, and the parent’s permissions-policy header must allow camera.
  • Some browsers prompt the user separately for camera access inside an iframe, even on a same-origin frame.

Can I capture without showing the video?

Yes. The <video> element does not need to be visible; you can position it off-screen with CSS. Do not set display: none — that pauses the stream on most browsers. Use visibility: hidden or position it outside the viewport instead.