Skip to content
SafetyKit
StatusSupportDashboard
Browser SDK
Browser SDK Setup

Browser SDK Setup

Create a SafetyKit Webapp SDK session and load the returned browser script.

Server Setup

Section titled “Server Setup”

Beta.

Create a SafetyKit Webapp SDK session from server-side code before rendering pages that load the browser SDK. Keep your SafetyKit API key on the server. The Browser SDK (Beta) API is authenticated with your normal SafetyKit Bearer token and is served from diagnostics.safetykit.com.

The integration should fail open: if session creation fails, times out, or returns an invalid response, render the page without the browser SDK.

require "safety_kit"


class ApplicationController < ActionController::Base
  before_action :set_safetykit_webapp_session, if: -> { request.get? && request.format.html? }


  private


  def set_safetykit_webapp_session
    @safetykit_webapp_session = create_safetykit_webapp_session
  end


  def create_safetykit_webapp_session
    params = {
      customer_user_id: current_user&.id&.to_s,
      customer_session_hash: current_session_hash,
    }.compact


    return nil if params.empty?


    safetykit_client.client_sessions.create_session(body: params)
  rescue SafetyKit::Errors::APIError
    nil
  end


  def safetykit_client
    @safetykit_client ||= SafetyKit::Client.new(
      api_key: ENV.fetch("SAFETYKIT_API_KEY"),
      timeout: 2,
    )
  end


  def current_session_hash
    session[:your_session_identifier]&.to_s
  end
end

Send at least one of customer_user_id or customer_session_hash when creating a SafetyKit session token.

customer_user_id should be the same canonical user ID string that you send as user_id in SafetyKit server-to-server events. customer_session_hash should be a stable opaque customer-owned identifier or hash for the browser session, not a raw session value.

The session response contains:

  • session_token: browser-safe token used to initialize the Webapp SDK.
  • sdk_script_url: SafetyKit-hosted browser SDK script URL to load for this page.

See the client_sessions.create_session API reference for the full Ruby method signature, request parameters, and response fields.

Browser Snippet

Section titled “Browser Snippet”

Render the browser snippet in your layout or template only when the server created a SafetyKit session.

<% session_token = @safetykit_webapp_session&.session_token %>
<% sdk_script_url = @safetykit_webapp_session&.sdk_script_url %>


<% if session_token.present? && sdk_script_url.present? %>
  <%= javascript_tag nonce: true do %>
    (function() {
      var script = document.createElement("script");
      script.async = true;
      script.src = <%= raw json_escape(sdk_script_url.to_json) %>;


      script.addEventListener("load", function() {
        try {
          if (window.SafetyKit && typeof window.SafetyKit.init === "function") {
            window.SafetyKit.init({
              sessionToken: <%= raw json_escape(session_token.to_json) %>
            });
          }
        } catch (_) {}
      });


      document.head.appendChild(script);
    })();
  <% end %>
<% end %>

If your app uses Content Security Policy, allow the returned SafetyKit CDN origin in script-src and https://ingest.sk-diagnostics.com in connect-src.

Do not expose your SafetyKit API key in browser code. Do not hardcode the SDK script URL; load the sdk_script_url returned by the session response. If the CDN script fails to load, the page should continue normally without SafetyKit browser telemetry.