How to Deploy to Production
This document outlines the key considerations and steps for deploying Descope in a production environment.
Pre Deployment Checklist
- Have your custom domain configured including creating a DNS record, updating base url in your code etc. For more details on how you can set it up please refer here.
- Ensure all sensitive information is properly secured and not exposed in code repositories. It's crucial to avoid hard-coding sensitive or environment-specific values such as project IDs, redirect URLs, or API keys. Instead, adopt a more flexible and secure approaches like Dynamic configuration, parameterization or using environment variables to enhance your application's security.
- Descope provides the first 100 SMS messages used for OTP authentication per month. If a project reaches the threshold users will no longer be able to send additional text messages and customers will be unable to login using SMS OTP. To continue using SMS, make sure to create your own messaging connectors and configure customized templates. For more information on the guides, refer here.
- When configuring your application, carefully review and verify the URLs in your allowed callbacks and logout redirect URLs to ensure they are accurate, complete, and do not potentially include
localhost
. This step is fundamental to maintaining the security and proper functionality of your authentication flow. - Make sure all console log messages are removed to ensure no critical information like email or password is leaked. The
logger
component in Descope SDKs contains these messages and can be set to ignore the info logs. - To avoid hitting the API rate limit, ensure your app is optimized to make the least number of requests possible based on the need. To learn more about rate limits, please refer to this documentation.
- Set/turn on password policy that enforces strong password requirements, including a minimum length of at least 5 characters, a combination of uppercase and lowercase letters, numbers, and special characters, while also incorporating measures such as password history, maximum password age, and account lockout thresholds to enhance overall account security and protect against unauthorized access. For more details on policy set up, refer to this doc.
- If using custom Oauth provider connection, make sure to obtain your own url for social app registration along with details such as Client ID and Secret to personalize the login process. For more info, refer here.
- Ensure all the domain and subdomain configurations have been set correctly. For information on cross-Site cookie policy related to the Domain and SameSite Attributes, refer here.
- Block user sign up if your application wants to restrict users from creating accounts on their own. Instead, have users sign in only after they have been invited. Follow this doc to read more about how to set this up.
- If SSO has been enabled, make sure to provide accurate connection details along with non-expired certificates. SSO configuration details can be found here.
- In Descope, when you sign up or in with the Oauth, the OAuth sign-in page will not be personalized to your website domain by default. Descope comes pre-configured with a Descope authentication account for each OAuth provider. The default Descope app is intended to be used for development and testing environments and not for production applications. Once in production, please set up your custom social application to use in your production environment. Make sure to have accurate credentials for Client ID and Client Secret. For more information on this, refer to this section of our guide.
- Ensure that you have a dedicated support email address configured to facilitate communication with your company or organization`s support team. This practice is not only essential for providing timely assistance to users but also serves as a best practice for managing your production tenant deployment effectively.
Deployment Stage
- Have a Descope staging project that mirrors production by cloning your development project. This step is usually followed after all the development is completed in your non-production environment. Descope makes it easy to manage these projects. Follow this guide to know all about importing, exporting, cloning a project in Descope.
- Ensure that you have thoroughly tested all essential use cases of your application and integrations across all devices that your end-user population may utilize. We have guides for automated testing with Cypress and Playwright.
- Project Tagging: Descope supports setting tags for projects. This allows Descoper to set one or more tags that describe the project. These tags can be used across all projects within the company.
For a production project, you would add a
production
tag or any tag which would best describe the production project. This is helpful so you can differentiate it from adevelopment
orstaging
project for example. This setting can be found in your Project settings in the Descope console.
- For seamless transition from development or staging to production, Descope supports a full CICD solution. Follow here for a dedicated guide on our CICD implementation.
Post Deployment
Audit streaming
Descope stores audit history for a limited time of 30 days. Additionally if you wish you have access to audits for extended period, we offer a few ways of replicating the audit trail. Descope provides audit webhook connectors to send audit events to your own api as well as audit streaming connectors like Sumo Logic, Datadog, AWS S3 etc. to collect logs analytics. Find more on implementing these connectors in this section.
Configure SSO for Descompany
To have controlled access and to streamline authentication into Descope's company (now called as Descompany), admins can set up SSO for their Company under Company settings. Please refer to this guide to check how it's configured.
Security Best Practice
Descope provides guidelines on how to protect your resources and applications from vulnerabilities. Some of these best practices include usage of access keys, restricting scope of management keys, using approved domains, restricting self sign ups when building your website with Descope and several other measures. A detailed guide on the same can be found here.