Quickstart Examples

Copy-paste starting points. Replace tokens and URLs with your own.

1. Embed & authenticate (browser)

<script src="https://buddy.ui.pe/app/embed.js" data-token="SHARE_TOKEN" defer></script>
<script>
  // After your app knows who the user is:
  window.addEventListener('DOMContentLoaded', async () => {
    const token = await fetch('/api/me/buddy-token').then(r => r.text());
    window.BuddyWidget.setAuthToken(token);
  });
</script>

2. Mint a JWT (Node)

import jwt from 'jsonwebtoken';
export function buddyToken(user) {
  return jwt.sign(
    { sub: user.id, email: user.email, role: user.role },
    process.env.PRIVATE_KEY,
    { algorithm: 'RS256', expiresIn: '5m', issuer: process.env.ISSUER }
  );
}

3. Sign a session token (Python)

import base64, hmac, hashlib, json, time

def buddy_token(user, secret):
    payload = {"userId": user["id"], "email": user["email"], "role": user["role"],
               "iat": int(time.time()), "exp": int(time.time()) + 300}
    body = base64.urlsafe_b64encode(json.dumps(payload).encode()).rstrip(b"=")
    sig = base64.urlsafe_b64encode(
        hmac.new(secret.encode(), body, hashlib.sha256).digest()).rstrip(b"=")
    return body.decode() + "." + sig.decode()

4. Handle an injected user (your API)

// The Business API tool calls your endpoint with verified identity headers.
app.get('/orders/recent', (req, res) => {
  const userId = req.get('X-Platform-User-Id');   // trustworthy — set by Buddy
  if (!userId) return res.status(401).end();
  res.json({ orders: ordersFor(userId) });
});

Verify it instantly in the live test console.