> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blindcast.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Production Checklist

> Everything to verify before deploying BlindCast to production: auth, CORS, secrets, TLS, rate limiting, and backups.

Run through this checklist before going live. Each item links to the relevant docs page for details.

## Authentication

* [ ] **Enable JWT validation** — Set `AUTH_JWT_SECRET` (HS256) or `AUTH_JWKS_URL` (RS256/ES256) on the key server. Never run without auth in production. See [Configuration](/key-server/configuration).
* [ ] **Validate JWT claims** — Configure the key server to check `aud` (audience) and `iss` (issuer) claims in JWTs to prevent token misuse across services.
* [ ] **Token refresh in player** — Implement a `keyServerAuth` callback that returns a fresh token on each key request. See [Player Authentication](/player/authentication).
* [ ] **Token refresh in uploader** — Pass an `auth` callback to `upload()` that returns a fresh token. See [Uploader Basic Usage](/uploader/basic-usage).
* [ ] **Presign requires auth** — If `ENABLE_PRESIGN=true`, ensure authentication is also enabled. An unauthenticated presign endpoint allows anyone to upload to your S3 bucket. See [Presign Endpoint](/key-server/presign).

## Admin dashboard

* [ ] **Protect `/admin` route** — Add authentication at the reverse proxy layer (auth\_request, forward-auth, or IP allowlist). See [Reverse Proxy](/server/reverse-proxy).
* [ ] **Use `ADMIN_API_KEY` in production** — Set the bootstrap key via environment variable instead of the setup wizard. This eliminates the race condition window during first startup.
* [ ] **Block setup endpoint** — If using a reverse proxy, deny external access to `POST /api/v1/setup`. See the [nginx config example](/server/reverse-proxy#nginx).

## CORS

* [ ] **Set specific origins** — Set `CORS_ORIGINS` to your app's exact domain (e.g., `https://app.example.com`). Never use `*` in production. See [Configuration](/key-server/configuration).
* [ ] **CDN CORS headers** — Configure your CDN to send `Access-Control-Allow-Origin` for HLS segment requests. See [CDN Configuration](/production/cdn).

## Secrets

* [ ] **Store master key securely** — Move `MASTER_KEY_HEX` and `SALT_HEX` from plaintext env vars to a secret manager (AWS Secrets Manager, HashiCorp Vault, Doppler, etc.)
* [ ] **Back up master key + salt** — Losing them means losing access to all encrypted content. Store backups in a separate location from the primary secret store.
* [ ] **Rotate JWT secrets** — Use short-lived JWTs (15-60 minutes). If using HS256, rotate the shared secret periodically.

## Database

* [ ] **Switch to Postgres** — If running multiple key server instances or expecting >100 concurrent viewers, set `DATABASE_URL` to a Postgres connection string. See [Database](/key-server/database).
* [ ] **Connection pooling** — For Postgres, use a connection pooler (PgBouncer, Supabase Pooler) if running 3+ key server instances.
* [ ] **Backups** — Back up the leases table if you rely on lease revocation for access control.

## TLS

* [ ] **TLS on key server** — Terminate TLS at your reverse proxy or load balancer (nginx, Caddy, ALB). The key server itself serves HTTP. See [Reverse Proxy](/server/reverse-proxy).
* [ ] **TLS on CDN** — Serve encrypted segments over HTTPS. Most CDNs do this by default.
* [ ] **TLS on S3** — Use HTTPS for presigned upload URLs. AWS S3 and most compatible services default to HTTPS.

## Rate limiting

* [ ] **Key endpoint rate limiting** — Add rate limiting on `GET /keys/:contentId` at the reverse proxy level. Suggested: 60 requests/minute per IP.
* [ ] **Presign endpoint rate limiting** — If presign is enabled, limit `POST /presign` more aggressively (e.g., 10 requests/minute per user).
* [ ] **Lease creation rate limiting** — Limit `POST /keys/leases` to prevent lease abuse (e.g., 10 requests/minute per user).

## Monitoring

* [ ] **Health check** — Point your load balancer or uptime monitor at `GET /health`. See [Monitoring](/production/monitoring).
* [ ] **Key fetch latency** — Track p50/p95 latency on key requests. Target: under 100ms p95.
* [ ] **Error rates** — Alert on elevated 401/403/500 rates from the key server.
* [ ] **Player metrics** — Call `player.getMetrics()` to track time-to-first-frame, decrypt time, and stall count. See [Player API Reference](/player/api-reference).

## Content delivery

* [ ] **CDN for segments** — Serve encrypted HLS segments from a CDN, not directly from S3. See [CDN Configuration](/production/cdn).
* [ ] **Cache policy** — Segments are immutable (cache forever). Manifests may change (short TTL or no-cache). See [CDN Configuration](/production/cdn).

## Key rotation (optional)

* [ ] **Plan rotation strategy** — If you need to rotate the master key, follow the dual-key deployment process. See [Key Rotation](/production/key-rotation).
