TypeScript • npm 2.13.0+
Web (SPA) SDK
First-party JS SDK for SPA + vanilla web. Analytics, identity, push, full auth surface, deep-link mint + revoke + stats.
What's included
- Anonymous-first identity — survives reloads via `localStorage`.
- `identify` / `track` / `screen` analytics surface (Mixpanel-shaped).
- Full auth surface: email+pass, magic, OTP, MFA, passkeys (WebAuthn), OIDC SSO, SAML SSO, OAuth (Google / Apple / Microsoft / LinkedIn / Facebook / Discord).
- Web Push (VAPID) — registers the subscription against the current user.
- Deep links (Branch parity, web subset): `links.create<T>()` / `prewarm` / `revoke` / `getStats` + typed `LinkError`. Mint share URLs for paste-into-iMessage / WhatsApp / SMS flows.
- Custom claims JWT verification helper for backends that re-verify.
- Refuses `sk_*` secret keys at init. HTTPS-only API base.
Install
npm install @sendoracloud/sdk-webQuickstart
import { SendoraCloud, LinkError } from "@sendoracloud/sdk-web";
const s = SendoraCloud.init({ apiKey: "pk_prod_..." });
// Identify the signed-in user.
s.identify("u_123", { email: "alice@example.com", plan: "pro" });
// Track a product event.
s.track("page.viewed", { path: "/" });
// Web Push (VAPID).
await s.webPush.subscribe("/sw.js");
// Auth: magic-link sign-in.
await s.auth.sendMagicLink("user@example.com");
// Deep links — mint a share URL (no Universal Link handling on web).
const link = await s.links.create({
title: "Share article",
iosDeepLinkPath: "/articles/art_42",
androidDeepLinkPath: "/articles/art_42",
linkData: { articleId: "art_42" },
});
await navigator.clipboard.writeText(link.url);Security posture
- Public key only — SDK throws if given an `sk_*` secret key.
- HTTPS enforced outside `localhost` / `127.0.0.1`.
- HttpOnly cookies (via `@sendoracloud/sdk-web-ssr`) — opt into the SSR companion for cookie-based session storage instead of `localStorage`.