Production Best Practices

What to get right before you put video calls in front of real users — security, mobile, browser permissions, and more.

The Scenario That Explains Why This Matters

You launched the consultation feature. A CA reports: "My client clicked 'Join Call' and the room said 'access denied.'" Another says: "It worked on Chrome but not on their iPhone Safari." A third: "The client's camera didn't turn on and there was no message telling them why."

Each of these is a real production issue that gets reported in the first week of launch if you don't prepare for it. This page covers what to get right before real users touch the feature.

Rule 1 — Always Create Rooms Server-Side

This is not optional. It is the foundational security rule for any video API.

Why: Your Daily.co API key, if exposed in frontend code, allows anyone to:

Create unlimited rooms on your account (run up your bill)
Delete existing rooms mid-call
Access your usage data and logs

The correct architecture:

The browser never touches Daily.co directly. The edge function holds the API key. The browser only ever receives a room URL (not the key) in response.

Never do this:

Rule 2 — Use Expiring Rooms

Every consultation room must have an exp property set. No exceptions.

Why: Without expiry, rooms accumulate forever. More critically, a persistent room can be re-joined by anyone who still has the URL — including former clients, or anyone the URL was accidentally shared with.

The right formula: expiry = appointment end time + 30 minutes grace period

The 30-minute buffer is for sessions that run slightly over time. Without it, a 60-minute consultation might cut out at exactly 60:00 if the room expires on the dot.

Rule 3 — Participant Tokens for Authenticated Rooms

Room URLs alone are not access control. Anyone with the URL can join. For professional consultations with sensitive content, issue participant tokens.

A participant token is a short-lived, single-use credential that Daily.co validates before letting someone into the room. It's like a boarding pass — the gate won't open without it, even if you know the flight number.

Creating a token (from your edge function):

On the frontend, append the token to the URL:

With tokens enabled, the room URL alone does nothing — the token is required to enter.

Rule 4 — Handle Camera and Microphone Permission Errors Gracefully

This is the most common user complaint in the first week of any video feature.

What happens: When the browser requests camera/mic access, the user can deny it. Or their device might not have a camera. Or a browser extension is blocking it. In any of these cases, the call looks broken without explanation.

Detect the issue and show a helpful message:

Rule 5 — Mobile Browser Compatibility

Video in mobile browsers has specific requirements. Know these before launch.

iOS Safari (iPhone and iPad):

Camera and microphone require a user gesture to activate (a tap, a button click). You cannot auto-start video on page load.
Implement a "Join Call" button that the user must explicitly press — never auto-start.
Safari on iOS 14.5+ supports WebRTC properly. Older versions have issues. Daily.co's SDK handles this better than Jitsi.
Test on an actual iPhone, not just Chrome DevTools mobile simulation.

Android Chrome:

Generally well-supported.
Requires HTTPS — HTTP will block camera access entirely.
Test at production URL (Vercel), not localhost.

Recommendation for mobile in production apps:

Rule 6 — Test at the Production URL Before Launch

Camera and microphone APIs require HTTPS. This means:

http://localhost:3000 — Chrome usually works, Safari will refuse
https://yourapp.vercel.app — works on all browsers
Production custom domain (https://yourapp.com) — works on all browsers

Before showing the feature to any user: deploy to Vercel and test the entire video flow from the Vercel URL. Do not assume that "it worked on localhost" means it will work in production.

The three things to test:

Camera permission request appears (not silently failing)
Video room loads correctly after permission is granted
A second browser/device can join the same room

In India, recording a conversation without the consent of all parties is a legal concern. Before enabling recording features:

Show a clear banner: "This call may be recorded."
Require explicit consent (a checkbox during scheduling)
Store consent records in your database with a timestamp

This is non-negotiable for CA-client, doctor-patient, or lawyer-client consultations.

Testing Checklist Before Going Live

Security

API key is in Supabase secrets, not frontend code
Rooms have exp set to appointment end time + 30 min
Participant tokens issued for sensitive consultations
Room URL not guessable (not based on sequential appointment IDs)

User Experience

Permission error message is clear and actionable
Mobile shows a tap-to-join button (not auto-load)
Works on Chrome, Firefox, and Safari
Tested at the production HTTPS URL

Reliability

Room creation failure shows an error (not a broken page)
If the room expires, the user sees a clear message
Joining as a second participant works (tested with two devices)

The Scenario That Explains Why This Matters

Each of these is a real production issue that gets reported in the first week of launch if you don't prepare for it. This page covers what to get right before real users touch the feature.

Rule 1 — Always Create Rooms Server-Side

This is not optional. It is the foundational security rule for any video API.

Why: Your Daily.co API key, if exposed in frontend code, allows anyone to:

Create unlimited rooms on your account (run up your bill)
Delete existing rooms mid-call
Access your usage data and logs

The correct architecture:

The browser never touches Daily.co directly. The edge function holds the API key. The browser only ever receives a room URL (not the key) in response.

Never do this:

Rule 2 — Use Expiring Rooms

Every consultation room must have an exp property set. No exceptions.

The right formula: expiry = appointment end time + 30 minutes grace period

The 30-minute buffer is for sessions that run slightly over time. Without it, a 60-minute consultation might cut out at exactly 60:00 if the room expires on the dot.

Rule 3 — Participant Tokens for Authenticated Rooms

Room URLs alone are not access control. Anyone with the URL can join. For professional consultations with sensitive content, issue participant tokens.

Creating a token (from your edge function):

On the frontend, append the token to the URL:

With tokens enabled, the room URL alone does nothing — the token is required to enter.

Rule 4 — Handle Camera and Microphone Permission Errors Gracefully

This is the most common user complaint in the first week of any video feature.

Detect the issue and show a helpful message:

Rule 5 — Mobile Browser Compatibility

Video in mobile browsers has specific requirements. Know these before launch.

iOS Safari (iPhone and iPad):

Camera and microphone require a user gesture to activate (a tap, a button click). You cannot auto-start video on page load.
Implement a "Join Call" button that the user must explicitly press — never auto-start.
Safari on iOS 14.5+ supports WebRTC properly. Older versions have issues. Daily.co's SDK handles this better than Jitsi.
Test on an actual iPhone, not just Chrome DevTools mobile simulation.

Android Chrome:

Generally well-supported.
Requires HTTPS — HTTP will block camera access entirely.
Test at production URL (Vercel), not localhost.

Recommendation for mobile in production apps:

Rule 6 — Test at the Production URL Before Launch

Camera and microphone APIs require HTTPS. This means:

http://localhost:3000 — Chrome usually works, Safari will refuse
https://yourapp.vercel.app — works on all browsers
Production custom domain (https://yourapp.com) — works on all browsers

Before showing the feature to any user: deploy to Vercel and test the entire video flow from the Vercel URL. Do not assume that "it worked on localhost" means it will work in production.

The three things to test:

Camera permission request appears (not silently failing)
Video room loads correctly after permission is granted
A second browser/device can join the same room

In India, recording a conversation without the consent of all parties is a legal concern. Before enabling recording features:

Show a clear banner: "This call may be recorded."
Require explicit consent (a checkbox during scheduling)
Store consent records in your database with a timestamp

This is non-negotiable for CA-client, doctor-patient, or lawyer-client consultations.

Testing Checklist Before Going Live

Security

API key is in Supabase secrets, not frontend code
Rooms have exp set to appointment end time + 30 min
Participant tokens issued for sensitive consultations
Room URL not guessable (not based on sequential appointment IDs)

User Experience

Permission error message is clear and actionable
Mobile shows a tap-to-join button (not auto-load)
Works on Chrome, Firefox, and Safari
Tested at the production HTTPS URL

Reliability

Room creation failure shows an error (not a broken page)
If the room expires, the user sees a clear message
Joining as a second participant works (tested with two devices)

Production Best Practices

The Scenario That Explains Why This Matters

Rule 1 — Always Create Rooms Server-Side

Rule 2 — Use Expiring Rooms

Rule 3 — Participant Tokens for Authenticated Rooms

Rule 4 — Handle Camera and Microphone Permission Errors Gracefully

Rule 5 — Mobile Browser Compatibility

Rule 6 — Test at the Production URL Before Launch

Testing Checklist Before Going Live

Security

User Experience

Reliability

On this page

Production Best Practices

The Scenario That Explains Why This Matters

Rule 1 — Always Create Rooms Server-Side

Rule 2 — Use Expiring Rooms

Rule 3 — Participant Tokens for Authenticated Rooms

Rule 4 — Handle Camera and Microphone Permission Errors Gracefully

Rule 5 — Mobile Browser Compatibility

Rule 6 — Test at the Production URL Before Launch

Testing Checklist Before Going Live

Security

User Experience

Reliability

On this page