Verify SDK launch token
SDK Launch
Verify SDK launch token
Verifies an HMAC-SHA256 launch token against the server-held secret.
Called by Sdk.js (React frontend) before proceeding to autosignup.
Verification steps:
- Checks that the timestamp is within a 10-minute window
- Recomputes the HMAC from canonicalized params (values stringified,
launch_*keys stripped) - Compares using constant-time
crypto.timingSafeEqualto prevent timing attacks
When verification fails:
- Expired tokens (>10 min) return 401 with “Launch token expired”
- Tampered or invalid tokens return 401 with “Invalid launch token”
POST
Verify SDK launch token
Body
application/json
The launch parameters to verify. May include launch_token, launch_nonce, and
launch_timestamp keys (these are stripped during canonicalization before HMAC comparison).
All values are stringified to match the sign-side canonicalization.
The HMAC-SHA256 token returned from sdk-sign
Example:
"a1b2c3d4e5f6..."
The nonce returned from sdk-sign
Example:
"f47ac10b58cc4372a5670e02b2c3d479"
The timestamp returned from sdk-sign (must be within 10-minute window)
Example:
1740500000
Response
Token verified successfully
Example:
true