FAQ
Frequently asked questions
Everything people ask before — and after — putting POCX in front of a proof of concept.
Getting started
Do evaluators need to create accounts?
No. There are no evaluator accounts and no passwords anywhere. You allowlist their email on the PoC; they enter it at the gate and receive a 6-digit one-time code. That's the entire login.
How long does integration take?
Minutes. Three env vars copied from the PoC's Overview tab, one dependency-free TypeScript file curled into your repo, and a three-line middleware. The docs quickstart walks it end to end.
Does POCX work with my stack?
Next.js 12 through 16, Express, and any Node server that can run a middleware chain. The SDK is a single TypeScript file with zero dependencies, built on Web APIs so it runs on Node and edge runtimes alike.
Can a coding agent set it up for me?
Yes — that’s the recommended path. POCX publishes agent-executable instructions at /llms.txt. Paste one prompt into Claude Code, Codex or Cursor and it wires the env vars, the SDK file and the middleware itself. See the coding-agent tutorial.
Security & privacy
Does POCX see my app's code or data?
No. POCX only handles the front door: identity, terms and sessions. Once an evaluator is through the gate, their traffic goes straight to your app — nothing proxies through POCX.
How are login codes stored?
Codes are SHA-256 hashed at rest, single-use, expire quickly, and requests are rate-limited. Five failed attempts lock the email out. And because there are no passwords, there is no password database to breach.
What if my POCX secret leaks?
Rotate it in the PoC's Settings tab. A new secret is issued immediately and exchanges signed with the old secret stop working at once. Update your app's environment and redeploy — evaluators don't notice a thing.
Can sessions be hijacked?
Sessions live in HttpOnly cookies on your own domain, HMAC-signed so they can't be forged, and revocable server-side. The SDK revalidates against POCX every minute, so a stolen token you revoke dies within ~60 seconds.
What happens if POCX is unreachable?
Evaluators who are already authenticated keep working — their token is verified locally by the SDK. New logins wait until POCX is back. If the SDK can't even resolve its configuration, it fails closed rather than open.
Terms & signatures
Are the e-signatures legally meaningful?
Each signature records the signer's OTP-verified email identity, a timestamp, IP address and user agent, plus a SHA-256 hash of the exact terms text shown — and a signed PDF certificate is emailed to the signer. That's standard electronic-signature evidence. (This is product information, not legal advice.)
Can I use my own legal text?
Yes. Switch the PoC's Terms tab to custom mode and paste your text verbatim. Optional {{PLACEHOLDERS}} — owner entity, client entity, purpose and so on — still resolve if you use them.
What happens when I edit the terms?
Editing under the same version applies only to new signers — existing acceptances stand. Bumping the version forces every evaluator to re-accept before their next request is allowed through, with an optional checkbox to revoke all live sessions immediately.
Where do signed PDFs go?
Two places: emailed to the signer as a PDF certificate the moment they sign, and stored in the PoC's Signatures tab where you can download every record alongside its timestamp, IP, user agent and terms hash.
Evaluator experience
What does an evaluator actually see?
A gate page branded with your PoC's name and color. They enter their email, type the 6-digit code from their inbox, read and sign the Terms of Access, and land in your app. First visit takes under a minute; return visits skip straight through while their session is live.
The code never arrived — now what?
Check spam first. Codes expire after about 10 minutes, so use "Resend code" for a fresh one. If you self-host POCX without a RESEND_API_KEY, mail runs in mock mode — the PoC owner can read every outbound message in the dashboard's Emails tab.
It says "you're not on the access list"?
Only allowlisted emails receive codes. Ask the PoC owner to add your exact address — including the right domain and any plus-alias — in the Evaluators tab.
How long do sessions last?
By default a session lives 24 hours with a 3-hour idle timeout. Both — plus OTP expiry — are configurable per PoC in Settings, and the owner can revoke any session sooner.
Plans & billing
What do I get for free?
Up to 3 evaluator seats per PoC with the full product: hosted branded gate, email OTP, e-signed Terms of Access with PDF certificates, and session control with instant revoke. No card required.
What does Pro add?
US$39 per workspace per month: unlimited evaluator seats and the full audit trail — every OTP request, login, signature and revocation, plus optional in-app page-view events, with CSV export.
What happens if I downgrade?
Nothing breaks. Gates keep working, evaluators above the 3-seat limit keep their access — you just can't add more until you're back under the cap. The audit view locks, but events keep recording underneath, so upgrading again restores the full history.
How do I cancel?
Downgrade anytime from the dashboard. No lock-in, no exit interview — your PoCs stay protected within Free limits.
Question answered? Protect your PoC.
Start free with 3 evaluator seats, or follow the step-by-step tutorials — the first gate takes about five minutes.