Deployments and Testing

Deploy to Production

This document outlines the key considerations and steps for deploying Descope in a production environment.

Pre Deployment Checklist - Project Level

This section of the pre-deployment checklist covers configurations that should be done at the Descope project level.

1. Set Up Custom Domain

Configure your custom domain, including creating a DNS record, updating base & base static url in your code, etc. For more details on how to set up a custom domain, check out our custom domain guide.

2. Configure Approved Domains

In project settings, set up your list of approved domains that are allowed for redirect. If the value is left empty, the application will not perform validation, which could allow malicious actors to exploit vulnerabilities in your application. For more details on how to set up approved domains, refer to this doc.

3. Configure SMS/Email Messaging Connectors

Descope provides the first 100 SMS messages and used for authentication messages per month. In order to prevent authentication issues when this limit is reached, it is critical to set up messaging connectors before deploying to production. Additionally, setting up messaging connectors for both SMS messages and emails allows you to create custom messaging templates with your own branding.

4. Disable Static OTP Codes

If you have enabled static OTP codes for your test users, disable them before deploying to production to prevent unauthorized access using test credentials.

If you must have static OTP enabled in production for mobile review purposes, you should track audit events for usage of static OTP to prevent malicious users from authenticating with it.

5. Configure Custom OAuth Providers

Descope comes pre-configured with a default Descope authentication account for each OAuth provider to make developing and testing easier. However, you cannot customize the OAuth sign-in page with your branding when using the default provider. Make sure to set up custom providers to use in your production environment.

Configure your cookie policy, as described in our cross-site cookie policy guide, to ensure cookies are handled the best way for your use case.

7. Block Self-Registration Sign Up

Block user sign up if your application wants to restrict users from creating accounts on their own. Instead, users will be able to sign in only after they have been invited, or if they are part of a domain that has self-registration enabled on the tenant level.

8. Configure Audit Log Streaming

Descope stores audit history for a limited time of 30 days. If you wish you have access to audits for an extended period, we offer connectors to replicate the audit trail. We offer an audit webhook connector to send audit events to your own api, as well as audit streaming connectors, like Sumo Logic, Datadog, AWS S3, and more, to collect logs and analytics.

9. Create Production Project

Typically, you want to have separate Descope projects for your development, staging, and production environments. To learn how to clone your development project and set up additional environments, check out our managing environments doc.

Pre Deployment Checklist - Application Level

This section of the pre-deployment checklist covers configurations that should be done at your application level.

1. Remove Console Log Messages

Make sure all console log messages are removed to ensure no critical information like emails or passwords is leaked. The logger component in Descope SDKs contains these messages and can be set to ignore the info logs.

2. Limit API Calls

To avoid hitting the API rate limit, ensure your app is optimized to make the least number of requests possible based on the need. Consider using Descope SDKs, which have a higher rate limit, to make requests wherever possible. To learn more about rate limits, refer to our rate limit doc.

3. Set Up Automated Testing

Ensure that you have thoroughly tested all essential use cases of your application and integrations across all devices that your end users may utilize. We have guides for automated testing with Cypress and Playwright.

Security Best Practices

Check out our security best practices doc for guidelines on how to protect your resources and applications from vulnerabilities.

Was this helpful?