Documentation Index
Fetch the complete documentation index at: https://docs.hacktionbase.com/llms.txt
Use this file to discover all available pages before exploring further.
Auth flow
The widget uses a dedicated widget JWT — separate from your application’s auth. Here’s how it works:
1. SDK collects session context (sessionId, anonymousId, userId, sdkKey, device)
2. SDK sends context to widget iframe via postMessage
3. Widget iframe POSTs to /public/widget/auth
4. API validates the SDK key, creates/finds the user, returns a widget JWT
5. Widget stores the JWT and sends hacktionbase:widget_auth_success back to SDK
Session context
The SDK sends a WidgetContextPayload to the widget on every auth handshake:
{
sessionId: string; // Current session ID
anonymousId: string; // Persistent anonymous ID (survives sessions)
userId?: string; // Set after identify() is called
accountId?: string; // Set if user has an account
userHash?: string; // HMAC for identity verification
sdkKey: string; // Your SDK key
timestamp: number; // Current timestamp
device: DeviceInfo; // Browser, OS, screen, language, timezone
}
When re-authentication happens
The widget re-authenticates in these cases:
- Initial load — when the iframe sends
hacktionbase:ready
- First identify — when an anonymous user is identified (anonymous → known user)
- Account switch — when
identify() is called with a different account.id
Identity verification (optional)
To prevent users from impersonating others, you can enable HMAC identity verification. Generate the hash server-side using your SDK secret:
// Server-side (Node.js)
const crypto = require('crypto');
const userHash = crypto
.createHmac('sha256', 'YOUR_SDK_SECRET')
.update(userId)
.digest('hex');
identify:
Hacktionbase.identify({
id: 'user_123',
email: 'jane@example.com',
userHash: 'computed_hmac_hash'
});
userHash is provided, the API validates it before accepting the identity.
