Authentication
This is the auth layer for the embedded widgets — the Live Persona (3D) and Chat Persona one-liners, and any browser code calling /v1 directly. By default a visitor is anonymous; add an identity token to recognize a logged-in user.
X-Persona-Id· In the browser / pageThe public embed identifier — the ?k= value in the widget snippet. Designed to live in your page: it identifies the persona but grants no account access, and requests are restricted to your allowed domains and rate-limited.
server-side· Server-side onlySigns the end-user JWTs that recognize a logged-in visitor (below). Lives in the editor under Publish → Deploy. The secret itself never reaches the browser; only the short-lived JWT it signs does.
Building your own UI on the server instead? Server-side REST calls authenticate with the secret API key (X-Api-Key) — see the Services reference.
Recognize a logged-in user
Without a token, each browser is an anonymous visitor (history is keyed to a random per-browser id). To make a signed-in user's history follow them across devices, your server signs a short-lived JWT with the persona's Identity Secret and the page passes it to the widget as identityToken. The widget sends it as X-End-User-Token; the backend trusts its sub claim.
1 · Sign on your server
// Server-side only — sign a short-lived token for your logged-in user.
import jwt from "jsonwebtoken";
const token = jwt.sign(
{ sub: user.id }, // your account id for this visitor
process.env.PERSONAIZER_IDENTITY_SECRET, // from Publish → Deploy
{ algorithm: "HS256", expiresIn: "1h" },
);
// → hand 'token' to the page (never the secret)2 · Pass it to the widget
<!-- In the page: pass the signed token to the widget -->
<script>
window.PersonAIzerConfig = {
identityToken: "<jwt-from-your-server>",
// or refresh it on demand:
// identityTokenProvider: async () => fetch("/personaizer-token").then(r => r.text()),
};
</script>
<script src="https://cdn.personaizer.com/live.js?k=YOUR_PERSONA_ID" async></script>Rotating the Identity Secret (in the editor) invalidates tokens signed with the old one — update your server to sign with the new secret, or logged-in visitors fall back to anonymous. Never put the Identity Secret in a page; only the JWT it signs.