Skip to content

Developer

Node.js and Next.js

Mint Reqio HS256 identity tokens on a Node.js or Next.js server using the jose library.

The snippet below is exactly what the dashboard generates under Project > Settings > Identity when you choose Next.js or Node.js. Copy it from the dashboard to get your real project ID and audience URL pre-filled.

Install

npm install jose

Mint a token (Next.js -- ESM)

// npm install jose
import { SignJWT } from "jose";

const secret = new TextEncoder().encode(process.env.REQIO_SECRET!);
const now = Math.floor(Date.now() / 1000);

const token = await new SignJWT({
  sub: user.id,
  email: user.email,
  traits: { plan: user.plan, amount: user.planAmount, interval: user.billingInterval }, // amount in cents; interval "month" | "year"
})
  .setProtectedHeader({ alg: "HS256" })
  .setAudience("https://reqio.app/p/YOUR_PROJECT_ID")
  .setIssuedAt(now)
  .setExpirationTime(now + 300)
  .sign(secret);

Mint a token (Node.js -- CommonJS)

// npm install jose
const { SignJWT } = require("jose");

const secret = new TextEncoder().encode(process.env.REQIO_SECRET);
const now = Math.floor(Date.now() / 1000);

const token = await new SignJWT({
  sub: user.id,
  email: user.email,
  traits: { plan: user.plan, amount: user.planAmount, interval: user.billingInterval }, // amount in cents; interval "month" | "year"
})
  .setProtectedHeader({ alg: "HS256" })
  .setAudience("https://reqio.app/p/YOUR_PROJECT_ID")
  .setIssuedAt(now)
  .setExpirationTime(now + 300)
  .sign(secret);

Replace YOUR_PROJECT_ID with your project ID, or copy the full snippet from the dashboard where the audience URL is pre-filled.

Environment variable

Set REQIO_SECRET to the signing secret from Project > Settings > Identity > Reveal secret. Store it server-side only; never expose it to the browser.

Pass the token to the widget

For server-rendered pages, pass the token inline on the script tag so no client fetch is needed:

<script
  src="https://reqio.app/widget.js"
  data-project-id="YOUR_PROJECT_ID"
  data-identity-token="<your minted token>"
  async
></script>

For SPAs where the user authenticates after the initial page load, call window.Reqio.identify() after login:

window.Reqio.identify(token);

Traits reference

| Field | Type | Description | |---|---|---| | plan | string | Plan name on your billing system, e.g. "pro". | | amount | number | Recurring charge as billed, in cents. For annual plans send the full annual total; Reqio divides by 12 to derive the monthly value. | | interval | "month" or "year" | Billing cadence for amount. |

Security

REQIO_SECRET is the symmetric key for all tokens in your project. Exposure would allow anyone to mint arbitrary identity tokens. Tokens are short-lived (300 seconds) and audience-bound to one project URL, so a leaked token cannot be replayed against a different project.