Security

There is no secret key in your frontend code

This is intentional and matches the approach used by every major analytics provider (Amplitude, Mixpanel, Segment, PostHog).

The haya.init() call takes only a public SDK key. There is no HMAC secret, no API secret, no password. Your SDK key is safe to commit to version control and safe to include in a public JavaScript bundle.

Why can't browsers keep secrets?

Anything the JavaScript runtime touches, the user can inspect. Even if you store a secret in an environment variable prefixed with VITE_ or NEXT_PUBLIC_, it gets compiled into your JavaScript bundle and is visible to anyone who downloads it.

Real secrets belong on the server — never in the browser.

How Haya authenticates SDK requests

When the SDK sends events, the backend validates two things:

1. SDK key

The projectId in every request must match an active project in the database. If the key doesn't exist or the project is disabled, the request is rejected with 401.

2. Origin / Referer header

Every browser request includes an Origin (or Referer) header indicating which domain it came from. Haya checks that this header matches the domain you registered for the project.

If someone tries to send fake events using your SDK key from a different domain, the backend rejects the request with 403.

Rate limiting

Each SDK key is rate-limited to 120 requests per minute using a Redis sliding window. If the limit is exceeded, the backend returns 429 Too Many Requests with a Retry-After: 60 header.

The SDK automatically retries rejected batches with exponential backoff (1s → 2s → 4s → 8s → 8s). If all retries are exhausted, the batch is saved to localStorage and retried on the next page load (up to 72 hours).

What if someone sends fake data?

Even with Origin validation and rate limiting, a determined attacker could send fake analytics events using your SDK key from your own domain (e.g. via a browser extension or proxy).

This is a known, accepted trade-off in browser analytics. The worst case is dirty analytics data — not a data breach or financial exposure. Your users' actual data (passwords, payment info, PII) is never involved.

For context: this is identical to the threat model of Google Analytics, Amplitude, and every other client-side analytics tool.

Data privacy

What Haya does NOT collect

Passwords or form field values (masked by default with maskInputs: true)
Payment card numbers
Any PII you don't explicitly track via haya.track()

Input masking

With maskInputs: true (the default), all input values appear as *** in session replays. Only the field interactions (focus, blur, submit) are recorded.

Masking specific elements

<!-- This element will appear as a solid block in session replays -->
<div class="haya-block">
  Sensitive content here
</div>

Or via the SDK:

haya.init('YOUR_SDK_KEY', {
  ignoreSelectors: ['.private-section', '#user-data'],
});

Data retention

All analytics data (events, sessions, replays) is automatically deleted after 90 days via MongoDB TTL indexes. No manual cleanup required.

HTTPS

All communication between the SDK and the Haya backend is over HTTPS. In production, the backend enforces HTTPS and rejects plain HTTP requests.

There is no secret key in your frontend code​

Why can't browsers keep secrets?​

How Haya authenticates SDK requests​

1. SDK key​

2. Origin / Referer header​

Rate limiting​

What if someone sends fake data?​

Data privacy​

What Haya does NOT collect​

Input masking​

Masking specific elements​

Data retention​

HTTPS​