> ## Documentation Index
> Fetch the complete documentation index at: https://docs.praxis-ai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify SDK launch token

> Verifies an HMAC-SHA256 launch token against the server-held secret.
Called by `Sdk.js` (React frontend) before proceeding to autosignup.

**Verification steps:**
1. Checks that the timestamp is within a 10-minute window
2. Recomputes the HMAC from canonicalized params (values stringified, `launch_*` keys stripped)
3. Compares using constant-time `crypto.timingSafeEqual` to prevent timing attacks

**When verification fails:**
- Expired tokens (>10 min) return 401 with "Launch token expired"
- Tampered or invalid tokens return 401 with "Invalid launch token"




## OpenAPI

````yaml /mdx/api-reference/admin/admin-api.json post /api/auth/sdk-verify
openapi: 3.0.0
info:
  title: Pria Admin API
  version: 2.0.1
  description: >-
    Pria API Documentation Praxis's developer platform is a core part of our
    mission to empower organizations to grow better. Our APIs are designed to
    enable teams of any shape or size to build robust integrations that help
    them customize and get the most value out of Pria. All Pria APIs are built
    using REST conventions and designed to have a predictable URL structure.
    <br/>  <br/>They use many standard HTTP features, including methods (POST,
    GET, PUT, DELETE) and error response codes.  <br/> <br/>All API calls are
    made under https://hiimpria.ai/api and all responses return standard JSON.
    In these docs, you'll find lists of all available endpoints for a given API,
    along with interactive code blocks for building requests. For walkthroughs
    of basic usage for these APIs, check out the API guides.
servers:
  - url: https://pria.praxislxp.com
    description: Pria API Server
security: []
tags:
  - name: Authentication
    description: User authentication, registration, and password management (/api/auth)
  - name: OAuth
    description: OAuth authentication providers - Google, GitHub, SSO (/api/auth/oauth)
  - name: User
    description: User profile management and account operations (/api/user)
  - name: User Institutions
    description: User institution memberships and switching (/api/user/institution)
  - name: User Tools
    description: Available tools for authenticated users (/api/user/tools)
  - name: Institutions
    description: Institution settings and configuration (/api/user/institution)
  - name: Conversation
    description: AI conversation and Q&A endpoints (/api/ai)
  - name: Realtime
    description: Real-time voice AI and WebRTC sessions (/api/ai/rt)
  - name: Assistant
    description: AI assistant configuration and management (/api/user/assistant)
  - name: History
    description: Conversation history and favorites (/api/user/history)
  - name: RAG
    description: >-
      Document upload, embedding, and retrieval-augmented generation
      (/api/user/files, /api/user/rag)
  - name: Setting
    description: Instance variables and settings management (/api/user/setting)
  - name: Branding
    description: Digital twin branding and customization (/api/agent/branding)
  - name: Agent
    description: Agent engagement and session management (/api/agent)
  - name: SDK Launch
    description: >-
      SDK launch token signing and verification for secure iframe embedding
      (/api/auth/sdk-sign, /api/auth/sdk-verify)
  - name: Testing
    description: Health checks, diagnostics, and test endpoints (/api/test)
  - name: Admin Accounts
    description: Account management for super admins (/api/admin/account)
  - name: Admin Institutions
    description: Institution management for admins (/api/admin/institution)
  - name: Admin Users
    description: User management for admins (/api/admin/user)
  - name: Admin Entitlements
    description: >-
      User-institution relationships and permissions
      (/api/admin/userInstitution)
  - name: Admin Sessions
    description: Session management for admins (/api/admin/session)
  - name: Admin Histories
    description: Conversation history management and analytics (/api/admin/history)
  - name: Admin Assistants
    description: AI assistant management for admins (/api/admin/assistant)
  - name: Admin Questions
    description: Institution question and prompt management (/api/admin/question)
  - name: Admin Tools
    description: Tool configuration management (/api/admin/tool)
  - name: Admin AI Models
    description: AI model configuration (/api/admin/aimodel)
  - name: Admin MCP Servers
    description: Model Context Protocol server management (/api/admin/mcpserver)
  - name: Admin Feedbacks
    description: User feedback management (/api/admin/feedback)
  - name: Admin Uploads
    description: Upload management (/api/admin/upload)
  - name: Admin Charts
    description: Analytics and visualization chart management (/api/admin/chart)
  - name: Admin Memory
    description: Admin inspection and editing of user/instance memory parameters.
  - name: Admin Usage Limits
    description: Per-user usage-vs-cap reporting and account-wide at-limit counts.
paths:
  /api/auth/sdk-verify:
    post:
      tags:
        - SDK Launch
      summary: Verify SDK launch token
      description: >
        Verifies an HMAC-SHA256 launch token against the server-held secret.

        Called by `Sdk.js` (React frontend) before proceeding to autosignup.


        **Verification steps:**

        1. Checks that the timestamp is within a 10-minute window

        2. Recomputes the HMAC from canonicalized params (values stringified,
        `launch_*` keys stripped)

        3. Compares using constant-time `crypto.timingSafeEqual` to prevent
        timing attacks


        **When verification fails:**

        - Expired tokens (>10 min) return 401 with "Launch token expired"

        - Tampered or invalid tokens return 401 with "Invalid launch token"
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SdkVerifyRequest'
      responses:
        '200':
          description: Token verified successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SdkVerifyResponse'
        '400':
          description: Missing verification parameters
          content:
            application/json:
              schema:
                type: object
                properties:
                  success:
                    type: boolean
                    example: false
                  message:
                    type: string
                    example: Missing verification parameters
        '401':
          description: Token expired, invalid, or verification failed
          content:
            application/json:
              schema:
                type: object
                properties:
                  success:
                    type: boolean
                    example: false
                  message:
                    type: string
                    example: Invalid launch token
        '500':
          description: Server configuration error (SDK_LAUNCH_SECRET not set)
components:
  schemas:
    SdkVerifyRequest:
      type: object
      required:
        - params
        - launch_token
        - nonce
        - timestamp
      properties:
        params:
          type: object
          description: >
            The launch parameters to verify. May include `launch_token`,
            `launch_nonce`, and

            `launch_timestamp` keys (these are stripped during canonicalization
            before HMAC comparison).

            All values are stringified to match the sign-side canonicalization.
        launch_token:
          type: string
          description: The HMAC-SHA256 token returned from sdk-sign
          example: a1b2c3d4e5f6...
        nonce:
          type: string
          description: The nonce returned from sdk-sign
          example: f47ac10b58cc4372a5670e02b2c3d479
        timestamp:
          type: integer
          description: >-
            The timestamp returned from sdk-sign (must be within 10-minute
            window)
          example: 1740500000
    SdkVerifyResponse:
      type: object
      properties:
        success:
          type: boolean
          example: true

````