User privacy measures

To guard against potential misuse of the client-side library by bad actors, the SDK has a few restrictions:

• No user data is shared with the browser until the user has logged in
• The client may only access data for one user at a time - endpoints like search users are not available
• Certain endpoints, such as update user, require step-up or multi-factor authentication in order to be used
• To prevent account enumeration, login or create endpoints for one-time passcodes and magic links do not return the user_id as they would when using the direct API

The JavaScript SDK is not a complete replacement for the Stytch API - they are designed to be used together in order to create secure and low-friction login experiences. Some processes must necessarily happen on your server rather than client (for example, validating a session_token).