Security basics: JWTs, CORS, and what leaves your phone
Jump to section
Security is a shared story between mobile UX and server defaults. VocatAI biases toward explicit prompts when a feature needs the network, while the backend enforces authentication and rate limits.
JWT claims
Tokens include subject identifiers and mark whether the holder is a guest. The translate route uses that resolution path to choose the correct usage counters and history tables.
CORS boundaries
When CORS_ORIGINS is empty, Express allows any browser origin—convenient when iterating locally. When you set a comma-separated list, browsers must match; mobile binaries are generally unaffected because they are not browsers enforcing CORS the same way.
HTTP hardening
The backend ships security headers middleware appropriate for an API. Pair that with TLS termination at your edge and never commit real secrets—use environment variables and secret managers in deployment.