Security & Troubleshooting

Security Best Practices

Never expose API keys in client-side code
- Always generate tokens on your backend server
- Store API credentials in environment variables
Do not include PII in tokens
- Never include personally identifiable information such as email addresses, full names, phone numbers, or addresses in userAttributes
- Use anonymous identifiers like user IDs, session IDs, or account numbers
- This protects user privacy and helps comply with data protection regulations (GDPR, CCPA, etc.)
- Embedded tokens may be visible in browser URLs or logs
Use appropriate token expiration times
- Set timeout based on expected lesson duration
- Default 2 hours is suitable for most lessons
- Maximum 24 hours for longer courses
Include user identification in tokens
- Use userAttributes to track which user is taking the lesson
- Include anonymous identifiers like user IDs or session IDs
- This data is securely embedded in the token
Validate token ownership
- The API automatically validates that tokens match the requested lesson
- Tokens cannot be reused for different lessons
Use HTTPS
- Always serve your embedding page over HTTPS
- Teacharium requires HTTPS for API requests

Error: “Token verification failed: Token expired”

Solution: Generate a new token. Tokens expire after the specified timeout period.

Error: “Lesson not found or access denied”

Causes:

Solution: Verify the lesson ID and ensure the lesson is published.

Error: “Cross-origin request blocked”

Solution: The embed player page includes proper CORS headers. Ensure you’re using the correct base URL and the lesson ID matches the token.

Causes:

Solution: Ensure your page allows iframe embedding:


<meta
  http-equiv="Content-Security-Policy"
  content="frame-src 'self' https://www.teacharium.io"
/>