User privacy measures

To guard against potential misuse of the client-side library by bad actors, the SDK has a few restrictions:

  • No user data is shared with the browser until the user has logged in

  • The client may only access data for one user at a time - endpoints like search users are not available
  • Certain endpoints, such as update user, require step-up or multi-factor authentication in order to be used
  • To prevent account enumeration, login or create endpoints for one-time passcodes and magic links do not return the user_id as they would when using the direct API

The JavaScript SDK is not a complete replacement for the Stytch API - they are designed to be used together in order to create secure and low-friction login experiences. Some processes must necessarily happen on your server rather than client (for example, validating a session_token).