When implementing a DaVinci application integration
using the widget method, be aware that the POST
<authPath>/<companyID>/davinci/policy/<davinciFlowPolicyID>/start
request that invokes the flow takes an SDK token to authenticate. However, the call to
get a DaVinci SDK token, GET
<orchestratePath>/company/<companyID>/sdktoken
,
requires the application's API key to authenticate.
The /sdktoken
call must be executed on the server side, not in
client-side code, to protect the application's API key from exposure on a public web
page.
The following sample shows a server-side code snippet from a server.js file used to generate the DaVinci SDK token without exposing the application's API key.
The sample won't work unless you add your region-specific information. Replace any instances of <region> with your regional top-level domain:
- Use
.com
for North America. - Use
.ca
for Canada. - Use
.eu
for EMEA. - Use
.asia
for APAC.
/************************
* DaVinci components
************************/
// Get a Widget sdkToken
function getDVToken(cb) {
const url = `https://orchestrate-api.pingone.<region>/v1/company/${companyId}/sdktoken`;
fetch(url, {
headers: {
"X-SK-API-KEY": <yourDavinciAppApiKey>
},
method: "GET"
})
.then(res => res.json())
.then(data => cb(data))
.catch(err => console.log("Error: ", err));
}