curl --request POST \
  --url https://pria.praxislxp.com/api/auth/sdk-sign \
  --header 'Content-Type: application/json' \
  --data '
{
  "params": {
    "email": "john.doe@domain.edu",
    "profilename": "John Doe",
    "usertype": 4,
    "userid": 110,
    "institutionid": "f831501f-b645-481a-9cbb-331509aaf8c1",
    "task": "do"
  },
  "institutionId": "f831501f-b645-481a-9cbb-331509aaf8c1"
}
'

{
  "success": true,
  "launch_token": "a1b2c3d4e5f6...",
  "nonce": "f47ac10b58cc4372a5670e02b2c3d479",
  "timestamp": 1740500000
}

SDK Launch

Sign SDK launch parameters

Signs launch parameters with a server-held HMAC-SHA256 secret for secure SDK iframe embedding. Called by pria-sdk.js before creating the launch iframe.

Security model:

The signing secret (SDK_LAUNCH_SECRET) is never exposed to the client
Parameters are canonicalized (all values stringified, launch_* keys stripped) to ensure consistent HMAC computation across sign and verify, since URL query strings coerce values to strings
A cryptographic nonce and timestamp are included to prevent replay attacks
The token expires after 10 minutes

Origin validation:

For institution-specific launches, the request Origin or Referer header is validated against the institution’s publicAuthorizedUrls using exact hostname comparison
In development mode (NODE_ENV !== 'production'), file:// origins (null/missing Origin header) are allowed

Digital twin selector mode:

When institutionId is an empty string and params.digitaltwin is true, institution lookup and origin validation are skipped. The user will be presented with their existing digital twins or the option to create a new one.

POST

api

auth

sdk-sign

curl --request POST \
  --url https://pria.praxislxp.com/api/auth/sdk-sign \
  --header 'Content-Type: application/json' \
  --data '
{
  "params": {
    "email": "john.doe@domain.edu",
    "profilename": "John Doe",
    "usertype": 4,
    "userid": 110,
    "institutionid": "f831501f-b645-481a-9cbb-331509aaf8c1",
    "task": "do"
  },
  "institutionId": "f831501f-b645-481a-9cbb-331509aaf8c1"
}
'

{
  "success": true,
  "launch_token": "a1b2c3d4e5f6...",
  "nonce": "f47ac10b58cc4372a5670e02b2c3d479",
  "timestamp": 1740500000
}

Body

application/json

params

object

required

Launch parameters to be HMAC-signed. All values are canonicalized (converted to strings and launch_* keys are stripped) before signing to ensure consistency with the verify side, since URL query strings coerce all values to strings.

Show child attributes

institutionId

string

required

Institution public UUID. Required for institution-specific launches. May be an empty string "" for digital twin selector mode (when params.digitaltwin is true), which skips institution lookup and origin validation.

Example:

"f831501f-b645-481a-9cbb-331509aaf8c1"

Response

Parameters signed successfully

success

boolean

Example:

true

launch_token

string

HMAC-SHA256 signature of the canonicalized launch parameters

Example:

"a1b2c3d4e5f6..."

nonce

string

Cryptographic nonce (32 hex chars) to prevent replay attacks

Example:

"f47ac10b58cc4372a5670e02b2c3d479"

timestamp

integer

Unix timestamp (seconds) when the token was issued

Example:

1740500000

Update institution settings Verify SDK launch token

⌘I

API Documentation

Runtime API

Administrator API

Sign SDK launch parameters

Body

Response