Verify SDK launch token
curl --request POST \
--url https://pria.praxislxp.com/api/auth/sdk-verify \
--header 'Content-Type: application/json' \
--data '
{
"params": {},
"launch_token": "a1b2c3d4e5f6...",
"nonce": "f47ac10b58cc4372a5670e02b2c3d479",
"timestamp": 1740500000
}
'{
"success": true
}SDK Launch
Verify SDK launch token
Verifies an HMAC-SHA256 launch token against the server-held secret.
Called by Sdk.js (React frontend) before proceeding to autosignup.
Verification steps:
- Checks that the timestamp is within a 10-minute window
- Recomputes the HMAC from canonicalized params (values stringified,
launch_*keys stripped) - Compares using constant-time
crypto.timingSafeEqualto prevent timing attacks
When verification fails:
- Expired tokens (>10 min) return 401 with “Launch token expired”
- Tampered or invalid tokens return 401 with “Invalid launch token”
POST
/
api
/
auth
/
sdk-verify
Verify SDK launch token
curl --request POST \
--url https://pria.praxislxp.com/api/auth/sdk-verify \
--header 'Content-Type: application/json' \
--data '
{
"params": {},
"launch_token": "a1b2c3d4e5f6...",
"nonce": "f47ac10b58cc4372a5670e02b2c3d479",
"timestamp": 1740500000
}
'{
"success": true
}Body
application/json
The launch parameters to verify. May include launch_token, launch_nonce, and
launch_timestamp keys (these are stripped during canonicalization before HMAC comparison).
All values are stringified to match the sign-side canonicalization.
The HMAC-SHA256 token returned from sdk-sign
Example:
"a1b2c3d4e5f6..."
The nonce returned from sdk-sign
Example:
"f47ac10b58cc4372a5670e02b2c3d479"
The timestamp returned from sdk-sign (must be within 10-minute window)
Example:
1740500000
Response
Token verified successfully
Example:
true
Was this page helpful?
⌘I