When implementing a DaVinci application integration using the widget method, be aware that the POST <authPath>/<companyID>/davinci/policy/<davinciFlowPolicyID>/start request that invokes the flow takes an SDK token to authenticate. However, the call to get a DaVinci SDK token, GET <orchestratePath>/company/<companyID>/sdktoken, requires the application's API key to authenticate.


The /sdktoken call must be executed on the server side, not in client-side code, to protect the application's API key from exposure on a public web page.

The following sample shows a server-side code snippet from a server.js file used to generate the DaVinci SDK token without exposing the application's API key.


The sample won't work unless you add your region-specific information. Replace any instances of <region> with your regional top-level domain:

  • Use .com for North America.
  • Use .ca for Canada.
  • Use .eu for EMEA.
  • Use .asia for APAC.
* DaVinci components

// Get a Widget sdkToken
function getDVToken(cb) {
  const url = `https://orchestrate-api.pingone.<region>/v1/company/${companyId}/sdktoken`;
  fetch(url, {
    headers: {
      "X-SK-API-KEY": <yourDavinciAppApiKey>
    method: "GET"
  .then(res => res.json())
  .then(data => cb(data))
  .catch(err => console.log("Error: ", err));