Frequently asked questions
Does the SDK store biometric data on the client?
No. The captured frame is uploaded and discarded; only a synthesised per-origin client identifier persists in localStorage for audit attribution.
Can I run this in React Native, Cordova, or Capacitor?
No. The SDK depends on browser-only APIs — MediaDevices, Worker, <canvas>, and the WebAssembly streaming compiler. Use the platform’s native biometric SDK on mobile.
Why does my token keep expiring?
The SDK sends a short-lived Keycloak bearer token minted by your backend. Short TTLs are expected — the SDK re-requests a fresh token via getToken() whenever the backend returns a 401, so your provider should always be ready to hand back a current token. If tokens expire mid-flow, make sure your backend broker returns a valid, unexpired token each time getToken() is called (cache and refresh on your side). See Authentication.
Does the SDK work in an iframe?
Yes, with two caveats:
- The parent page’s CSP must allow camera access. Specifically, the iframe needs
allow="camera"on its<iframe>tag, and the parent’spermissions-policyheader must allow camera. - Some browsers prompt the user separately for camera access inside an iframe, even on a same-origin frame.
Can I capture without showing the video?
Yes. The <video> element does not need to be visible; you can position it off-screen with CSS. Do not set display: none — that pauses the stream on most browsers. Use visibility: hidden or position it outside the viewport instead.