Tutorials
Tutorials
Six step-by-step guides that take you from a bare app to a protected PoC with signed terms, revocable sessions and an evidence trail.
1. Protect a Next.js app end-to-end~10 min
The full journey: create a PoC, wire the SDK into a Next.js app, then walk through the gate yourself as an evaluator so you know exactly what your client will see.
Sign up
Go to /signup and enter your email. POCX sends a 6-digit code — no password to invent, none to leak. Enter the code and you land in the dashboard.Create the PoC
Click New PoC in the dashboard and fill in the fields. Each one does real work:- Name — shown on the hosted gate and substituted into the terms as
{{POC_NAME}}. - Owner entity + registration number — your company, named as the IP owner throughout the Terms of Access.
- Client entity — the organisation evaluating the PoC; bound by the terms alongside the individual signer.
- Purpose — narrows what evaluators are allowed to use the PoC for (“solely for the purpose of …”).
- Brand color — the accent color of the hosted gate, so the login page looks like yours, not ours.
- Name — shown on the hosted gate and substituted into the terms as
Copy the three env vars
Open Dashboard → your PoC → Overview and copy the credentials into.env.localin your app:.env.localPOCX_URL=https://pocx-production.up.railway.app POCX_PROJECT_KEY=pocx_pk_… POCX_SECRET=pocx_sk_… # server-side only — never expose to the browserDownload the SDK
One dependency-free TypeScript file, straight into your project:terminalcurl -o lib/pocx.ts https://pocx-production.up.railway.app/sdk/pocx.tsWire the gate
Createproxy.tsat the project root (Next.js 16). On Next.js 15 and earlier, name the filemiddleware.tsand exportmiddlewareinstead ofproxy:proxy.tsimport { createPocxGate } from "./lib/pocx"; const gate = createPocxGate(); export const proxy = gate.nextProxy(); export const config = { matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"], };Set the protected app URL
In Dashboard → your PoC → Settings, set Protected app URL to where your app runs (e.g. its deployment URL). The gate only ever redirects evaluators back to this registered URL — it’s what makes the return leg of the flow safe.Invite yourself as an evaluator
Go to Dashboard → your PoC → Evaluators and add your own email. Only allowlisted emails ever receive a login code — everyone else gets a polite dead end. The Free plan includes 3 evaluator seats per PoC; Pro removes the cap.Test the full flow
Open your app in a private/incognito window. You should be 307-redirected to the gate athttps://pocx-production.up.railway.app/gate/<slug>. Enter your email, type the 6-digit code from your inbox, read and e-sign the Terms of Access, and land back in your app with a live session. Then check Dashboard → your PoC → Sessions and Signatures — you’ll see your own session and your signed terms record, exactly as you’ll later see your evaluators’.
2. Protect an Express app~5 min
Same PoC, same three env vars, same single SDK file — Express just mounts it as middleware instead of a proxy.
Reuse steps 1–4 above
Create the PoC, copyPOCX_URL,POCX_PROJECT_KEYandPOCX_SECRETinto your server’s environment, and curl the SDK intolib/pocx.ts.Mount the middleware before your routes
Everything registered after the gate is protected:server.tsimport express from "express"; import { createPocxGate } from "./lib/pocx"; const app = express(); const gate = createPocxGate(); app.use(gate.expressMiddleware()); // …your routes below are now protectedPlain-JavaScript project?
The SDK ships as TypeScript. If your Express app isn’t on TS yet, run it with a TS-aware runner liketsx(or bundle withesbuild) — no config beyondnpx tsx server.ts.Set the protected app URL and test
As with Next.js: set Protected app URL in Settings, invite yourself in Evaluators, and walk the gate in a private window.
3. Let a coding agent do it~2 min
The fastest integration is not doing it yourself. POCX publishes agent-executable instructions at /llms.txt.
Paste one prompt
Open Claude Code, Codex or Cursor inside your app’s repo and paste:Add POCX protection to this app. Follow the instructions at https://pocx-production.up.railway.app/llms.txt exactly.
What the agent will do
It reads the instructions, adds the three env vars (asking you for the values from your PoC’s Overview tab), downloadslib/pocx.ts, and wires the right entry point for your stack —proxy.tson Next.js 16,middleware.tson older Next.js,expressMiddleware()on Express.Verify its work
Open the app in a private window and confirm you’re redirected tohttps://pocx-production.up.railway.app/gate/<slug>. Complete the OTP + terms flow with an invited email, then check Sessions for your live session. If the redirect doesn’t fire, check the env vars loaded and that the middleware file is at the project root.
4. Customize your Terms of Access~5 min
Every PoC starts with the standard protective template — including the “no reuse without engagement” clause. You can keep it, tune it, or replace it entirely.
Open the Terms tab
Dashboard → your PoC → Terms. Two modes: Template (the standard terms with your PoC’s details substituted in) or Custom (your own legal text, verbatim).Use placeholders anywhere
Both modes resolve the same placeholders, auto-filled from your PoC’s fields:{{POC_NAME}}{{OWNER_ENTITY}}{{OWNER_REG_NO}}{{CLIENT_ENTITY}}{{PURPOSE}}{{SUPPORT_EMAIL}}{{TERMS_VERSION}}Check the live preview
The Terms tab renders the fully resolved text as evaluators will see it — what’s previewed is byte-for-byte what gets signed, hashed and put in the PDF.Understand version bumps
Editing the text under the same version applies only to future signers. Bumping the version forces every evaluator to re-accept before their next request goes through. Tick the optional “revoke all live sessions now” checkbox when the change is material and you want re-acceptance immediately, not at next revalidation.Know where signed copies live
Every acceptance is recorded in Dashboard → your PoC → Signatures (with timestamp, IP, user agent and the SHA-256 hash of the exact text), and a signed PDF certificate is emailed to the signer.
5. Invite, remove and revoke~5 min
Access control day-to-day: who can log in, who’s logged in right now, and the levers you pull when either needs to change.
Add evaluators
Dashboard → your PoC → Evaluators → add their email. Only these addresses ever receive a login code. Free includes 3 seats per PoC; Pro (US$39/mo) is unlimited.Disable a seat
Disabling an evaluator blocks their next login — they can no longer request a code. Their current session (if any) keeps running until it expires or you revoke it.Revoke sessions
Dashboard → your PoC → Sessions lists every live session with a per-session Revoke and a Revoke all. The SDK revalidates with POCX every minute, so a revocation bites in the protected app within ~60 seconds.Pause the whole PoC
Settings → Pause blocks new logins and live session validation in one switch — the demo is dark until you unpause. Session TTL, idle timeout and OTP expiry are configurable in the same tab.Rotate the secret
When a contractor with env-file access leaves, Settings → Rotate secret issues a newPOCX_SECRET; exchanges signed with the old one stop working immediately. Update your app’s environment and redeploy.Archive when it's over
Settings → Archive retires the PoC once the evaluation ends. Records — signatures included — stay on file.
6. Your evidence trail (Pro)~5 min
If a client ever ships something suspiciously familiar, what you want is a record. POCX keeps one from day one on every plan; the Pro plan unlocks the view.
What the audit log captures
Every OTP request and denial, every login, every terms signature, every revocation — each with actor, timestamp and context. AddlogEvents: truetocreatePocxGate()and in-apppage_viewevents stream in too, showing which screens each evaluator actually opened.Filter and export
Dashboard → your PoC → Audit filters by evaluator and event type, and exports the lot as CSV for your records — or your lawyer’s.How the pieces fit together
The signature record proves who agreed (OTP-verified email) and to what (the SHA-256 hash pins the exact text; the signed PDF is human-readable proof of the same string). The audit log proves what they did after agreeing. If you ever need to demonstrate what was agreed and accessed, the three line up on their own.Recording starts before you upgrade
Events are recorded from day one on all plans — upgrading to Pro later unlocks the full history, not just events after the upgrade.