Developer

Authentication

Generate secure project keys, mint visitor tokens, and validate webhook signatures.

Generate project API keys

Head to the Glimpze dashboard, open Settings → API access, and create a new project key. Each key is scoped to a workspace and can be rotated without downtime. Treat these like any server secret—store them in your secret manager and never ship them with client-side code.

  1. Select Generate key and provide a descriptive label (for example, “Marketing site widget”).
  2. Copy the value once; Glimpze will only display it at creation time.
  3. Assign roles to limit access to the widget, analytics, or admin endpoints as needed.

Mint short-lived widget tokens

Your public site or app should never embed project keys directly. Instead, mint a scoped widget token from your server and pass it to the Glimpze script when the visitor session starts.

POST https://api.glimpze.io/v1/widget/token
Authorization: Bearer <project_key>

{
  "visitor": {
    "email": "alex@example.com",
    "name": "Alex Rivera",
    "company": "Northwind"
  },
  "metadata": {
    "plan": "growth",
    "utm_source": "ads"
  },
  "ttl": 600
}

The token expires automatically based on the supplied ttl (seconds). Refresh it when the visitor performs a significant action or the session lasts longer than ten minutes.

Secure webhook deliveries

When you receive webhooks from Glimpze, verify the signature header before processing the payload. Every webhook request includes an X-Glimpze-Signature generated with your webhook secret.

const crypto = require("crypto");

function isValidSignature(rawBody, signature, secret) {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(rawBody, "utf8")
    .digest("hex");

  return crypto.timingSafeEqual(
    Buffer.from(signature, "hex"),
    Buffer.from(expected, "hex")
  );
}

Reject the request (HTTP 401) if the signature check fails. This protects your pipeline from spoofed events and keeps sensitive session data locked down.