Web SDK 2.0 API Reference

Initialize the SDK before using any components:

๐Ÿ“˜

This guide is specific to Web SDK 2.0. If you are still using 1.x, you can find documentation here. Contact your Incode Representative for upgrade information and check if you are a candidate for this upgrade.

Full rollout to all clients still TBD.


Setup

setup()

Initialize the SDK before using any components:

import { setup } from '@incodetech/core';

await setup({
  apiURL: string;                                      // Required: API base URL
  token?: string;                                      // Optional: session token (one-shot convenience โ€” delegates to initializeSession)
  customHeaders?: Record<string, string>;
  timeout?: number;                                    // Request timeout (ms)
  wasm?: WasmConfig | false;                           // WASM warmup (see WASM Configuration)
  encryption?: boolean | { mgf1?: 'sha1' | 'sha256' }; // End-to-end encryption (locked at boot)
  hostingApp?: string;                                 // Optional fingerprint hosting-app identifier
});

The canonical activation pattern is two calls โ€” setup({ apiURL }) first, then initializeSession({ token }) once the session token is known. See initializeSession() below. Passing token to setup is a one-shot convenience that delegates to initializeSession internally.

OptionTypeRequiredDescription
apiURLstringโŒAPI base URL. Omit when every API actor is overridden via .provide() (advanced).
tokenstringโŒSession token. One-shot convenience that delegates to initializeSession({ token, hostingApp }). Prefer the explicit two-call form: setup({ apiURL }) then initializeSession({ token }). The two-call form lets you start setup (including WASM warmup) before the token is known.
customHeadersRecord<string, string>โŒHeaders to attach to every SDK request.
timeoutnumberโŒRequest timeout in milliseconds.
wasmWasmConfig | falseโŒWASM warmup. Omit to skip preload (loads lazily on first selfie/ID capture). Pass an object to warm up with CDN defaults plus any overrides. Pass false to explicitly disable. See WASM Configuration.
encryptionboolean | { mgf1?: 'sha1' | 'sha256' }โŒEnable end-to-end encryption for SDK traffic. Independent of token โ€” can be enabled before a session token is known. Not a self-serve flag โ€” your Incode account team provisions the environment and gives you the dedicated apiURL and mgf1 scheme. Locked at boot (call reset() to change later) and requires the WASM binary transport. See End-to-End Encryption for the full walkthrough including API-key transmission, MGF1 schemes, and failure modes.
hostingAppstringโŒHosting app identifier forwarded to the fingerprinting service.

createSession()

Create a verification session (call from your backend for production):

import { createSession } from '@incodetech/core/session';

const session = await createSession(apiKey, {
  configurationId: string;   // Required: Flow configuration ID from dashboard
  language?: string;         // Optional: Language code (e.g., 'en-US')
  externalId?: string;       // Optional: Your user reference ID
});

// Returns: { token: string; interviewId: string; ... }

initializeSession()

Activate a session by attaching the token to the HTTP client and pre-loading session-scoped state (feature flags, device fingerprint, analytics flush). Call once you have a session token โ€” typically right after createSession() (or after your backend returns the token).

import { initializeSession } from '@incodetech/core/session';

await initializeSession({
  token: string;            // Required in application code: the session token from createSession()
  hostingApp?: string;      // Optional: hosting-app identifier forwarded to fingerprinting
  signal?: AbortSignal;     // Optional: abort the activation (e.g. on unmount)
});

// Returns: { features, disableIpify, fingerprintSuccess, fingerprintResult }
OptionTypeRequiredDescription
tokenstringโœ…Session token returned by createSession(). Application code should always pass this explicitly.
hostingAppstringโŒHosting-app identifier forwarded to the fingerprinting service.
signalAbortSignalโŒCancellation signal โ€” useful for unmount-aborts in single-page apps.

Results are cached per token: calling initializeSession again with the same token is a no-op; calling with a different token resets the cache and re-initializes from scratch. Idempotent across concurrent callers โ€” a second in-flight call with the same arguments awaits the first.

Components

<incode-flow>

Complete verification flow as a standard Web Component.

// Side-effect import registers the custom element
import '@incodetech/web/flow';
import '@incodetech/web/flow/styles.css';
PropertyTypeRequiredDescription
configFlowConfigโœ…Flow configuration object
onFinish(result?: FinishStatus) => voidโœ…Called when flow completes
onError(error: string | undefined, errorCode?: number) => voidโŒCalled when an error occurs

FlowConfig

apiURL is configured via setup(), not in FlowConfig.

PropertyTypeRequiredDescription
tokenstringโœ…Session token from createSession() (token-based variant)
apiKey (or clientId) + configurationIdstringโœ… (alt)Self-loading variant โ€” component creates its own session. Avoid in production.
langstringโŒLanguage code (e.g. 'en-US')
enableHomebooleanโŒShow the SDK's built-in home screen
authHintstringโŒQR/auth hint when re-entering a flow
urlUuidstringโŒQR anti-phishing token from URL
wasmConfigWasmConfigโŒWASM configuration for ML features
spinnerConfigSpinnerConfigโŒLoading spinner customization
disableDashboardThemebooleanโŒDisable dashboard theme
onFlowEvent(event: FlowEvent) => voidโŒCurated flow milestones
onModuleLoading(moduleKey: string) => voidโŒCalled when module starts loading
onModuleLoaded(moduleKey: string) => voidโŒCalled when module finishes loading
onWasmWarmup(pipelines: string[]) => voidโŒCalled when WASM warmup begins
onUrlUuidRefreshed(urlUuid: string) => voidโŒNew urlUuid available

Other components

The SDK ships 20+ web components in addition to IncodeFlow โ€” selfie, ID capture, phone, email, signature, consent, eKYC/eKYB orchestrators, and more. Rather than duplicate them here, see:

Headless Managers

Every module ships a corresponding createXxxManager factory for headless integrations. The full catalog (manager name, core import, what it does) lives in Individual Modules; detailed lifecycle, state, and method documentation for each manager lives in Headless Mode.

For the four most-used headless APIs, see:

See Also