> ## Documentation Index
> Fetch the complete documentation index at: https://docs.praxis-ai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sign SDK launch parameters

> Signs launch parameters with a server-held HMAC-SHA256 secret for secure SDK iframe embedding.
Called by `pria-sdk.js` before creating the launch iframe.

**Security model:**
- The signing secret (`SDK_LAUNCH_SECRET`) is never exposed to the client
- Parameters are canonicalized (all values stringified, `launch_*` keys stripped) to ensure
  consistent HMAC computation across sign and verify, since URL query strings coerce values to strings
- A cryptographic nonce and timestamp are included to prevent replay attacks
- The token expires after 10 minutes

**Origin validation:**
- For institution-specific launches, the request `Origin` or `Referer` header is validated
  against the institution's `publicAuthorizedUrls` using exact hostname comparison
- In development mode (`NODE_ENV !== 'production'`), `file://` origins (null/missing Origin header) are allowed

**Digital twin selector mode:**
- When `institutionId` is an empty string and `params.digitaltwin` is true, institution lookup
  and origin validation are skipped. The user will be presented with their existing digital twins
  or the option to create a new one.




## OpenAPI

````yaml /mdx/api-reference/admin/admin-api.json post /api/auth/sdk-sign
openapi: 3.0.0
info:
  title: Pria Admin API
  version: 2.0.1
  description: >-
    Pria API Documentation Praxis's developer platform is a core part of our
    mission to empower organizations to grow better. Our APIs are designed to
    enable teams of any shape or size to build robust integrations that help
    them customize and get the most value out of Pria. All Pria APIs are built
    using REST conventions and designed to have a predictable URL structure.
    <br/>  <br/>They use many standard HTTP features, including methods (POST,
    GET, PUT, DELETE) and error response codes.  <br/> <br/>All API calls are
    made under https://hiimpria.ai/api and all responses return standard JSON.
    In these docs, you'll find lists of all available endpoints for a given API,
    along with interactive code blocks for building requests. For walkthroughs
    of basic usage for these APIs, check out the API guides.
servers:
  - url: https://pria.praxislxp.com
    description: Pria API Server
security: []
tags:
  - name: Authentication
    description: User authentication, registration, and password management (/api/auth)
  - name: OAuth
    description: OAuth authentication providers - Google, GitHub, SSO (/api/auth/oauth)
  - name: User
    description: User profile management and account operations (/api/user)
  - name: User Institutions
    description: User institution memberships and switching (/api/user/institution)
  - name: User Tools
    description: Available tools for authenticated users (/api/user/tools)
  - name: Institutions
    description: Institution settings and configuration (/api/user/institution)
  - name: Conversation
    description: AI conversation and Q&A endpoints (/api/ai)
  - name: Realtime
    description: Real-time voice AI and WebRTC sessions (/api/ai/rt)
  - name: Assistant
    description: AI assistant configuration and management (/api/user/assistant)
  - name: History
    description: Conversation history and favorites (/api/user/history)
  - name: RAG
    description: >-
      Document upload, embedding, and retrieval-augmented generation
      (/api/user/files, /api/user/rag)
  - name: Setting
    description: Instance variables and settings management (/api/user/setting)
  - name: Branding
    description: Digital twin branding and customization (/api/agent/branding)
  - name: Agent
    description: Agent engagement and session management (/api/agent)
  - name: SDK Launch
    description: >-
      SDK launch token signing and verification for secure iframe embedding
      (/api/auth/sdk-sign, /api/auth/sdk-verify)
  - name: Testing
    description: Health checks, diagnostics, and test endpoints (/api/test)
  - name: Admin Accounts
    description: Account management for super admins (/api/admin/account)
  - name: Admin Institutions
    description: Institution management for admins (/api/admin/institution)
  - name: Admin Users
    description: User management for admins (/api/admin/user)
  - name: Admin Entitlements
    description: >-
      User-institution relationships and permissions
      (/api/admin/userInstitution)
  - name: Admin Sessions
    description: Session management for admins (/api/admin/session)
  - name: Admin Histories
    description: Conversation history management and analytics (/api/admin/history)
  - name: Admin Assistants
    description: AI assistant management for admins (/api/admin/assistant)
  - name: Admin Questions
    description: Institution question and prompt management (/api/admin/question)
  - name: Admin Tools
    description: Tool configuration management (/api/admin/tool)
  - name: Admin AI Models
    description: AI model configuration (/api/admin/aimodel)
  - name: Admin MCP Servers
    description: Model Context Protocol server management (/api/admin/mcpserver)
  - name: Admin Feedbacks
    description: User feedback management (/api/admin/feedback)
  - name: Admin Uploads
    description: Upload management (/api/admin/upload)
  - name: Admin Charts
    description: Analytics and visualization chart management (/api/admin/chart)
  - name: Admin Memory
    description: Admin inspection and editing of user/instance memory parameters.
  - name: Admin Usage Limits
    description: Per-user usage-vs-cap reporting and account-wide at-limit counts.
paths:
  /api/auth/sdk-sign:
    post:
      tags:
        - SDK Launch
      summary: Sign SDK launch parameters
      description: >
        Signs launch parameters with a server-held HMAC-SHA256 secret for secure
        SDK iframe embedding.

        Called by `pria-sdk.js` before creating the launch iframe.


        **Security model:**

        - The signing secret (`SDK_LAUNCH_SECRET`) is never exposed to the
        client

        - Parameters are canonicalized (all values stringified, `launch_*` keys
        stripped) to ensure
          consistent HMAC computation across sign and verify, since URL query strings coerce values to strings
        - A cryptographic nonce and timestamp are included to prevent replay
        attacks

        - The token expires after 10 minutes


        **Origin validation:**

        - For institution-specific launches, the request `Origin` or `Referer`
        header is validated
          against the institution's `publicAuthorizedUrls` using exact hostname comparison
        - In development mode (`NODE_ENV !== 'production'`), `file://` origins
        (null/missing Origin header) are allowed


        **Digital twin selector mode:**

        - When `institutionId` is an empty string and `params.digitaltwin` is
        true, institution lookup
          and origin validation are skipped. The user will be presented with their existing digital twins
          or the option to create a new one.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SdkSignRequest'
            examples:
              institutionLaunch:
                summary: Standard institution launch
                value:
                  params:
                    email: john.doe@domain.edu
                    profilename: John Doe
                    usertype: 4
                    userid: 110
                    institutionid: f831501f-b645-481a-9cbb-331509aaf8c1
                    task: do
                  institutionId: f831501f-b645-481a-9cbb-331509aaf8c1
              digitalTwinSelector:
                summary: Digital twin selector (no specific institution)
                value:
                  params:
                    email: john.doe@domain.edu
                    profilename: John Doe
                    usertype: 4
                    digitaltwin: true
                    task: do
                    institutionid: ''
                  institutionId: ''
      responses:
        '200':
          description: Parameters signed successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SdkSignResponse'
        '400':
          description: Missing params/institutionId or invalid institution
          content:
            application/json:
              schema:
                type: object
                properties:
                  success:
                    type: boolean
                    example: false
                  message:
                    type: string
                    example: Invalid institution
        '403':
          description: Origin not authorized for this institution
          content:
            application/json:
              schema:
                type: object
                properties:
                  success:
                    type: boolean
                    example: false
                  message:
                    type: string
                    example: Unauthorized origin
        '500':
          description: Server configuration error (SDK_LAUNCH_SECRET not set)
components:
  schemas:
    SdkSignRequest:
      type: object
      required:
        - params
        - institutionId
      properties:
        params:
          type: object
          description: >
            Launch parameters to be HMAC-signed. All values are canonicalized
            (converted to strings

            and `launch_*` keys are stripped) before signing to ensure
            consistency with the verify side,

            since URL query strings coerce all values to strings.
          properties:
            email:
              type: string
              format: email
              example: john.doe@domain.edu
            profilename:
              type: string
              example: John Doe
            usertype:
              type: integer
              description: LMS user type (1=student, 2+=instructor/admin)
              example: 4
            userid:
              type: integer
              example: 110
            roleid:
              type: integer
              example: 123
            rolename:
              type: string
              example: Course ABC
            partnerid:
              type: integer
              example: 1
            partnername:
              type: string
              example: ABC Global Inc.
            lticontextid:
              type: string
              example: https://domain.edu/course/123
            digitaltwin:
              type: boolean
              description: >-
                When true with empty institutionId, enters digital twin selector
                mode
              example: true
            task:
              type: string
              example: do
            institutionid:
              type: string
              format: uuid
              description: Institution public ID (may be empty for digital twin mode)
              example: f831501f-b645-481a-9cbb-331509aaf8c1
            institutionurl:
              type: string
              example: https://domain.edu
            clientip:
              type: string
              example: 134.123.234.234
        institutionId:
          type: string
          description: >
            Institution public UUID. Required for institution-specific launches.

            May be an empty string `""` for digital twin selector mode (when
            `params.digitaltwin` is true),

            which skips institution lookup and origin validation.
          example: f831501f-b645-481a-9cbb-331509aaf8c1
    SdkSignResponse:
      type: object
      properties:
        success:
          type: boolean
          example: true
        launch_token:
          type: string
          description: HMAC-SHA256 signature of the canonicalized launch parameters
          example: a1b2c3d4e5f6...
        nonce:
          type: string
          description: Cryptographic nonce (32 hex chars) to prevent replay attacks
          example: f47ac10b58cc4372a5670e02b2c3d479
        timestamp:
          type: integer
          description: Unix timestamp (seconds) when the token was issued
          example: 1740500000

````