# Production Readiness Checklist A checklist for deploying Hiyve SDK applications to production. Work through each section before going live. --- ## 1. Security - [ ] **Client secret** (`sk_live_*`) is server-side only, never in client-side code or bundled assets - [ ] **API key** (`pk_live_*`) is server-side for video conferencing apps. May be used client-side only in identity-only apps (via `@hiyve/identity-client`) - [ ] Secret keys (`sk_live_*`) stored in environment variables, not committed to git - [ ] `.env` files added to `.gitignore` - [ ] CORS allowed origins configured via `AdminClient.setAllowedOrigins()` -- restrict to your production domain(s) - [ ] Express CORS middleware configured with explicit origins (not `*`) - [ ] Identity proxy (`/hiyve/identity/*`) running server-side to protect API key from browser exposure - [ ] Auth middleware (`createAuthMiddleware`) protecting sensitive endpoints (token generation, admin routes) - [ ] Using `ENVIRONMENT=production` (not `development`) for production deployment ```javascript // server.js -- production CORS example app.use(cors({ origin: ['https://app.yourcompany.com'], })); ``` --- ## 2. Authentication - [ ] `npx @hiyve/cli login` run on developer machines and CI environments - [ ] Project `.npmrc` uses `${HIYVE_API_KEY}` variable expansion for CI/CD (not hardcoded tokens) - [ ] Token endpoints (`/generate-room-token`, `/generate-cloud-token`) are protected or rate-limited - [ ] CI/CD pipeline sets `HIYVE_API_KEY` environment variable for `npm install` to succeed - [ ] Email verification and TFA settings reviewed for your use case (see [Server Integration Guide](./server-integration.md#email-verification-and-tfa-configuration)). Defaults: both enabled. ```ini # .npmrc -- CI-safe registry configuration @hiyve:registry=https://api.hiyve.dev/registry/ //api.hiyve.dev/registry/:_authToken=${HIYVE_API_KEY} ``` --- ## 3. Device Permissions UX - [ ] Show a permission explanation before the first `getUserMedia` call (browsers show a permission prompt and users may deny it without context) - [ ] Use `` from `@hiyve/react-ui` for camera/mic preview before joining a room - [ ] Handle the case where no camera or microphone is available (e.g., desktop without webcam) - [ ] Handle the permission-denied state -- show instructions for re-enabling in browser settings - [ ] Test on mobile devices (iOS Safari, Android Chrome) -- permission flows differ from desktop --- ## 4. Error Handling - [ ] `` configured with error logging (Sentry, LogRocket, or your monitoring service) - [ ] Connection error UI shown when `useConnection().error` is set - [ ] `` from `@hiyve/utilities` wrapping the video room to catch rendering errors - [ ] Recording and streaming error states handled (`useRecording().error`, `useStreaming().error`) - [ ] Join token error codes handled with user-friendly messages (expired token, invalid password, room full) ```tsx import { ErrorBoundary } from '@hiyve/utilities'; Something went wrong. Please refresh.}> ``` --- ## 5. Network and Performance - [ ] Server deployed in the same region as expected users (reduces WebRTC connection latency) - [ ] `SERVER_REGION` environment variable set to the closest AWS region - [ ] Vite/webpack configured to externalize `@hiyve/*` peer dependencies (prevents double-bundling) - [ ] Tested with throttled network (Chrome DevTools > Network > Slow 3G) to verify degraded-connection behavior - [ ] The SDK auto-relaxes video constraints on poor connections -- no action needed, but verify UX is acceptable --- ## 6. Browser Testing - [ ] Tested on Chrome (primary target) - [ ] Tested on Firefox - [ ] Tested on Safari desktop - [ ] Tested on iOS Safari (no screen share support, no audio output device selection) - [ ] Tested on Android Chrome - [ ] Tested with multiple participants (2, 5, 10+) --- ## 7. Deployment - [ ] Server environment variables set: `APIKEY` (required), `CLIENT_SECRET` (required for video conferencing), `SERVER_REGION`, `SERVER_REGION_URL`, `ENVIRONMENT=production` - [ ] `npm install` succeeds in CI (`.npmrc` has registry auth configured) - [ ] Health check endpoint (`GET /health` on your mounted router) monitored - [ ] HTTPS configured (WebRTC requires a secure context -- `getUserMedia` will not work on HTTP, except `localhost`) - [ ] WebSocket connections allowed by firewall/CDN (required for signaling server communication) ```bash # Minimum server environment variables APIKEY=pk_live_xxx # Required for all apps CLIENT_SECRET=sk_live_xxx # Required for video conferencing only SERVER_REGION=us-east-1 SERVER_REGION_URL=.rtc.muziemedia.com ENVIRONMENT=production ``` --- ## 8. Scaling Considerations These are informational -- no action items required. - Room token generation is lightweight -- one API call per join. - Cloud token generation includes caching. Auto-refresh is handled by the SDK. - Auth middleware caches token verification for 5 minutes (configurable via `cacheTtlMs`). - Recording and transcription are server-side -- no additional client-side load. - SFU architecture handles 50+ participants per room. --- ## 9. Monitoring - [ ] `onError` callback on `` sends errors to your monitoring service - [ ] Health endpoint (`/health` on your mounted router) polled by an uptime monitor - [ ] Connection success/failure rates tracked (log `useConnection()` state changes: `isConnected`, `isConnecting`, `error`) - [ ] Recording start/stop events logged for billing and usage tracking --- ## 10. Common Pitfalls Avoid these frequently encountered issues in production deployments. - **Using `ENVIRONMENT=development` in production.** This points to the wrong cloud API URL. Always set `ENVIRONMENT=production`. - **Exposing `CLIENT_SECRET` in client-side code.** The client secret (`sk_*`) must never appear in browser code. The API key (`pk_*`) can be used client-side only for identity-only apps via `@hiyve/identity-client`; for video conferencing apps, keep both credentials server-side. - **Not setting CORS origins.** Defaults to blocking cross-origin requests. Set explicit origins in both Express middleware and `AdminClient.setAllowedOrigins()`. - **Missing `express.json()` middleware.** Token endpoints expect JSON request bodies and will return 400 without this middleware. - **Forgetting `@emotion/react` and `@emotion/styled` peer dependencies.** Required by `@hiyve/react-ui` (Material UI dependency). Install them alongside the UI package. - **HTTPS required.** WebRTC `getUserMedia` will not work on HTTP except on `localhost`. Deploy behind HTTPS in production. - **Hardcoding registry tokens in `.npmrc`.** Use `${HIYVE_API_KEY}` variable expansion so tokens are not committed to source control.