Skip to main content
Use this checklist alongside End-to-end encryption and Encryption model and key lifecycle.

Before you ship

  • Register an OAuth app with E2EE support enabled in the developer portal. Quick Ave does not support E2EE app keys.
  • Request scopes needed for your product (openid, profile, email, offline_access as appropriate).
  • On first authorization for an E2EE-capable app, supply encrypted key material per the E2EE guides; the server stores ciphertext only.

Redirect and URL fragment

  • The plaintext app key is delivered in the #fragment as app_key, not in JSON token bodies.
  • When parsing with URLSearchParams, normalize + so base64 decodes correctly (documented in the E2EE guide).
  • finishPkceLogin (@ave-id/sdk/client) merges app_key, then stripSensitiveFragmentParams removes app_key / unwrap-style entries from the hash. AveSession stores the key as appKeyBase64 when you use completeOAuthCallback or setTokensFromResponse.
  • If you parse the fragment yourself, clear it from history with history.replaceState so the key does not stay in the address bar.

Session vs encryption

  • Ave Session persists OAuth tokens and the optional app key for use with getAppKeyBase64(). You still run Web Crypto (AES-GCM, etc.) in your app per the E2EE guides.
  • Keep master key usage and bulk encryption on the client; do not send plaintext app keys to your server for convenience.

Identity isolation

  • Use a separate encrypted data domain per Ave identity (sub / identity UUID). Switching identity must switch key context.
Last modified on April 19, 2026