Collector (browser)
@octetproof/collector is the in-browser package — install it from GitHub Packages and either bundle it or serve its <script> build from your own origin.
The collector is published to GitHub Packages under the @octetproof scope. It is logic-free: it collects signals and posts them, and contains no reasoning.
What's in the package
npm run build (and the published package) produces:
| File | What it's for |
|---|---|
dist/octet-collector.mjs | Minified ESM bundle — for npm / bundler consumers. |
dist/octet-collector.js | Minified IIFE bundle — exposes a global octet for a plain <script> tag. |
dist/octet-collector.js.sri | The Subresource Integrity hash for the <script> build. |
dist/index.d.ts | TypeScript types — the public API is verify(). |
@octetproof/protocol is inlined, so the bundle is self-contained. There are no source maps.
Option A — Install from GitHub Packages (bundler)
GitHub Packages requires authentication even for reads. Create a GitHub personal access token with the read:packages scope, then point the @octetproof scope at the GitHub registry in an .npmrc:
# .npmrc
@octetproof:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
export GITHUB_TOKEN=ghp_your_token_with_read_packages
npm install @octetproof/collector
Then import and call it:
import { verify } from '@octetproof/collector';
await verify({
apiUrl: 'https://yourapp.com/octet', // your edge
sessionRef: 'sess_abc123', // minted by your backend
});
Option B — Serve the <script> build from your origin
If you don't bundle, serve octet-collector.js as a static asset from your own domain and load it with the integrity hash from octet-collector.js.sri:
<script
src="https://yourapp.com/static/octet-collector.js"
integrity="sha384-…"
crossorigin="anonymous"
></script>
<script>
octet.verify({ apiUrl: 'https://yourapp.com/octet', sessionRef: 'sess_abc123' });
</script>
The IIFE build attaches a single global, octet, exposing verify().
Always serve the collector from your origin, not from a third-party URL. This keeps the integration first-party (the browser only talks to you) and lets you pin the SRI hash. See How It Works.
Where to go next
- Embed the Collector. The full integration walkthrough.
- Collector API. Every
verify()option. - Edge Binary. The other half of the integration.