Guides
Authentication
How authentication works across SDK, server, and widget.
Aelio uses three separate authentication mechanisms. Do not conflate them.
1. SDK authentication
The SDK connects to the server over WebSocket at /sdk with a Bearer token:
Authorization: Bearer <AELIO_SDK_SECRET>- Constant-time comparison (
timingSafeEqual) - Max 32 concurrent SDK connections
- Must send
registerframe within 15s or connection is closed - Auto-reconnect with exponential backoff
await aelio.listen({
secret: process.env.AELIO_SDK_SECRET,
url: 'ws://127.0.0.1:3010',
});2. Widget authentication (magic link)
For production, the widget uses short-lived session tokens:
Your backend → POST /auth/magic-link (Bearer secret)
→ magic link URL
→ user clicks → GET /auth/verify?token=...
→ sessionToken
→ widget init with authTokenSession tokens are HMAC-SHA256 signed, TTL default 60 minutes. The server verifies the token matches customerId.
See Widget Authentication for the full flow.
3. Protected HTTP routes
These routes require Authorization: Bearer <AELIO_SDK_SECRET>:
| Route | Purpose |
|---|---|
POST /auth/magic-link | Issue magic link |
POST /proactive | Send proactive message |
POST /proactive/opt-in | Set customer opt-in |
GET /api/v1/telemetry/* | Telemetry data |
Also accepts x-aelio-secret header as an alternative.
4. WhatsApp webhook auth
- GET verification:
hub.verify_tokenmust match config - POST messages: HMAC
x-hub-signature-256verified against raw body +app_secret
Security rules
| Do | Don't |
|---|---|
Store AELIO_SDK_SECRET in server env vars | Put AELIO_SDK_SECRET in frontend code |
| Issue session tokens from your backend | Hardcode customer IDs in production |
| Use HTTPS/WSS in production | Use allow_anonymous: true in production |
| Rotate secrets periodically | Share secrets across environments |
Anonymous mode (dev only)
identity:
allow_anonymous: trueAllows widget init with just customerId and email, no token required.