curl --request POST \
--url https://pria.praxislxp.com/api/auth/sdk-verify \
--header 'Content-Type: application/json' \
--data '
{
"params": {},
"launch_token": "a1b2c3d4e5f6...",
"nonce": "f47ac10b58cc4372a5670e02b2c3d479",
"timestamp": 1740500000
}
'{
"success": true
}Verify SDK launch token
Verifies an HMAC-SHA256 launch token against the server-held secret.
Called by Sdk.js (React frontend) before proceeding to autosignup.
Verification steps:
- Checks that the timestamp is within a 10-minute window
- Recomputes the HMAC from canonicalized params (values stringified,
launch_*keys stripped) - Compares using constant-time
crypto.timingSafeEqualto prevent timing attacks
When verification fails:
- Expired tokens (>10 min) return 401 with “Launch token expired”
- Tampered or invalid tokens return 401 with “Invalid launch token”
curl --request POST \
--url https://pria.praxislxp.com/api/auth/sdk-verify \
--header 'Content-Type: application/json' \
--data '
{
"params": {},
"launch_token": "a1b2c3d4e5f6...",
"nonce": "f47ac10b58cc4372a5670e02b2c3d479",
"timestamp": 1740500000
}
'{
"success": true
}Documentation Index
Fetch the complete documentation index at: https://docs.praxis-ai.com/llms.txt
Use this file to discover all available pages before exploring further.
Body
The launch parameters to verify. May include launch_token, launch_nonce, and
launch_timestamp keys (these are stripped during canonicalization before HMAC comparison).
All values are stringified to match the sign-side canonicalization.
The HMAC-SHA256 token returned from sdk-sign
"a1b2c3d4e5f6..."
The nonce returned from sdk-sign
"f47ac10b58cc4372a5670e02b2c3d479"
The timestamp returned from sdk-sign (must be within 10-minute window)
1740500000
Response
Token verified successfully
true
Was this page helpful?