Authentication

This is the auth layer for the embedded widgets — the Live Persona (3D) and Chat Persona one-liners, and any browser code calling /v1 directly. By default a visitor is anonymous; add an identity token to recognize a logged-in user.

Persona IDX-Persona-Id· In the browser / page

The public embed identifier — the ?k= value in the widget snippet. Designed to live in your page: it identifies the persona but grants no account access, and requests are restricted to your allowed domains and rate-limited.

Identity Secretserver-side· Server-side only

Signs the end-user JWTs that recognize a logged-in visitor (below). Lives in the editor under Publish → Deploy. The secret itself never reaches the browser; only the short-lived JWT it signs does.

Building your own UI on the server instead? Server-side REST calls authenticate with the secret API key (X-Api-Key) — see the Services reference.

Recognize a logged-in user

Without a token, each browser is an anonymous visitor (history is keyed to a random per-browser id). To make a signed-in user's history follow them across devices, your server signs a short-lived JWT with the persona's Identity Secret and the page passes it to the widget as identityToken. The widget sends it as X-End-User-Token; the backend trusts its sub claim.

1 · Sign on your server

// Server-side only — sign a short-lived token for your logged-in user.
import jwt from "jsonwebtoken";

const token = jwt.sign(
  { sub: user.id },                    // your account id for this visitor
  process.env.PERSONAIZER_IDENTITY_SECRET, // from Publish → Deploy
  { algorithm: "HS256", expiresIn: "1h" },
);
// → hand 'token' to the page (never the secret)

2 · Pass it to the widget

<!-- In the page: pass the signed token to the widget -->
<script>
  window.PersonAIzerConfig = {
    identityToken: "<jwt-from-your-server>",
    // or refresh it on demand:
    // identityTokenProvider: async () => fetch("/personaizer-token").then(r => r.text()),
  };
</script>
<script src="https://cdn.personaizer.com/live.js?k=YOUR_PERSONA_ID" async></script>

Rotating the Identity Secret (in the editor) invalidates tokens signed with the old one — update your server to sign with the new secret, or logged-in visitors fall back to anonymous. Never put the Identity Secret in a page; only the JWT it signs.