Nudgg SDK Documentation
Everything a developer needs to self-serve an integration — and everything a CMO, security reviewer, or product lead needs to trust it.
Overview
What Nudgg SDK is, in plain terms
Nudgg SDK is a browser SDK that captures safe product signals, connects anonymous and known users, and powers AI-driven growth insights, segments, and campaigns.
Captures page views, sessions, and safe product signals
Optionally captures click metadata when enabled in workspace settings
Lets teams identify users and track custom events
Powers AI suggestions, segments, funnels, and onsite campaigns
Quick start
The fastest path to your first event
Two steps. Everything else on this page is optional depth.
1. Add the script
<script async src="https://www.nudgg.ai/nudgg_sdk/v1/nudgg_sdk.js"></script>
<script>
window.nudgg.init({
projectId: "YOUR_APP_ID"
});
</script>For React/Vite/SPAs, load the script once at app root and call init once.
2. Verify it's working
Open DevTools → Console and run:
window.nudgg
// → { init, track, identifyUser, updateProfile, logout, dispose, setIsDebug, version }Integration checklist
Required
- Add the SDK script
- Call init({ projectId })
- Verify events in the dashboard
Recommended
- Call identifyUser() after login or signup
- Track key business events with track()
- Mark checkout, payment, login, and support forms private
- Review events in the dashboard
Developers
SDK Reference
Every method lives on the global window.nudgg object once the script loads. Calls made before init() are queued in memory and replayed automatically.
window.nudgg.init(options)RequiredBoots the SDK. Call it once, right after the script loads. Page views and session context are captured automatically from this point on — no extra call needed.
window.nudgg.init({
projectId: "YOUR_APP_ID" // required — everything else is optional
});| Parameter | Description |
|---|---|
projectIdstringRequired | Your workspace App ID, from Settings → Overview → SDK connection. |
debugboolean | Prints SDK activity to the console. Default: false. |
runtimeSyncIntervalMsnumber | Optional refresh interval for rules/campaigns/workspace settings, in ms. Default: 0, so periodic /v1/config polling is disabled. Positive values are clamped to at least 5 minutes. |
maxEventBytesnumber | Maximum serialized size of a single event before it's dropped client-side. Default: 24 KB. |
maxBatchBytesnumber | Maximum serialized size of one batched request. Default: 60 KB. |
noncestring | CSP nonce applied to dynamically injected optional-chunk scripts. |
Click capture, semantic click context, and campaigns are controlled from workspace settings in the Nudgg dashboard — not from init() options.
window.nudgg.track(name, attributes?)Use track() for business milestones, not raw UI interactions — events the SDK can't infer automatically.
window.nudgg.track("user_signed_up");
window.nudgg.track("purchase_completed", {
plan: "pro",
amount: 99,
currency: "USD"
});
window.nudgg.track("checkout_started", { step: "cart" });
window.nudgg.track("demo_requested", { source: "pricing_page" });| Parameter | Description |
|---|---|
namestringRequired | Event name. Use snake_case, e.g. checkout_started. |
attributesRecord<string, unknown> | Optional key-value pairs. Must be JSON-serializable. |
Page views are captured automatically. You do not need to manually call track("page_view").
window.nudgg.identifyUser(userId, traits?)Links the current anonymous visitor to a known user. Every visitor starts anonymous until this is called.
window.nudgg.identifyUser("usr_12345", {
plan: "pro",
role: "admin"
});| Parameter | Description |
|---|---|
userIdstringRequired | A stable internal ID — database ID or UUID. |
traitsRecord<string, unknown> | Optional non-sensitive traits, e.g. plan, role, accountType. |
Call this after login, signup, or whenever your app knows the visitor.
window.nudgg.updateProfile(traits)Updates traits for an already-identified user without re-linking identity. Use for a plan upgrade, role change, or lifecycle-stage update.
window.nudgg.updateProfile({
plan: "enterprise",
seats: 25,
lifecycleStage: "expansion"
});Call updateProfile() only after identifyUser() has linked the visitor.
window.nudgg.logout()Clears the current identity and starts a new anonymous session.
window.nudgg.logout();Utilities
window.nudgg.dispose()Tears down listeners, timers, and campaign runtime. Useful for tests or embedded teardown.
window.nudgg.setIsDebug(value)Toggles console logging at runtime. Accepts booleans plus truthy strings like "true", "1", or "on".
window.nudgg.versionRead-only SDK version string.
Data capture
Auto-capture & privacy
What's captured, what isn't, and how to exclude sensitive sections.
- site_visit
- page_view
- SPA route changes (pushState, replaceState, popstate, hashchange)
- Allowed UTM / ad-attribution query parameters
- Safe page, session, and browser context
- Click metadata, once a workspace admin turns it on
- Safe clickable element label
- Element tag and role
- Click coordinates
- Page context
Never captured
- Password values
- OTP values
- Payment, card, and CVV values
- Input, textarea, and select values
- Full page text
- Non-allowlisted query parameters
- Content inside private / no-track regions
Exclude sensitive regions
Add any of these attributes to an element, or a wrapping ancestor, to exclude it from click capture:
data-privatedata-no-trackdata-nudgg-privatedata-nudgg-no-track<form data-private>
<input type="password" name="password" />
<input type="text" name="verification_code" />
<button type="submit">Verify</button>
</form>- Clicks inside private regions are not auto-captured.
- For checkout, payment, login, and support flows, mark the full section private.
- Send an explicit, safe custom event with track() instead.
window.nudgg.track("checkout_started", {
step: "payment",
cartValue: 149
});Data capture
On-site campaigns
An optional layer on top of core analytics.
Optional — nothing renders unless the backend explicitly returns a decision.
The backend is authoritative for eligibility, frequency capping, suppression, and campaign rules.
The SDK records lifecycle events: impression, click, dismiss, and CTA click.
The campaign chunk loads only when the workspace actually has campaigns configured.
Trust
Performance & security
What to tell a CMO or security reviewer before approving a new script tag.
- Loads asynchronously — never blocks page rendering.
- Batches events — every 30s, once 30 events queue up, or when the tab is hidden.
- Retries safely — exponential backoff for transient failures, up to 60s between attempts.
- Uses beacon delivery on page unload for a best-effort final flush.
- Campaign chunk loads only when needed — core analytics never waits for it.
- Can be disabled remotely via a server-side kill switch.
- CSP nonce supported for dynamically injected chunk scripts.
- Only a public projectId (App ID) is exposed in the browser — no secret key.
- localStorage holds only operational identity/session state — never profile, traits, or event content.
Trust
Troubleshooting
Practical fixes, organized by symptom.
I don't see events in the dashboard
- Script loaded — check the Network tab for a 200 on the SDK script.
- Correct projectId (App ID) passed to init().
- Domain is allowlisted for the workspace.
- init() is called after the script loads, not before.
- Network tab shows requests to api.nudgg.ai.
- Check that ad blockers or privacy extensions are not blocking the SDK script or API request.
- Wait up to 60 seconds — events are batched before delivery.
// With debug: true, a successful boot logs, in order:
[Nudgg] Runtime bootstrap ready { host, ruleCount, serverTime, configVersion }
[Nudgg] Nudgg_SDK initialized
// Every captured action then logs individually:
[Nudgg] Action Tracked { name: "page_view", ... }Clicks are not captured
- Click capture is enabled in workspace settings.
- The element is actually clickable (link, button, recognized ARIA role, or data-clickable).
- It isn't inside a data-private / data-no-track region.
- If runtime sync is disabled (default), reload the page after enabling click capture; otherwise wait for runtimeSyncIntervalMs.
- The click text isn't being filtered for looking sensitive.
Campaign is not showing
- The campaign is active for the workspace.
- Campaign trigger rules match the visitor's activity.
- The backend's decision response actually allows the campaign to render.
- A frequency cap or suppression rule hasn't blocked it.
- The campaign isn't unintentionally inside a private region.
SDK blocked by CSP
If the console shows a CSP violation for the SDK script or api.nudgg.ai, your Content-Security-Policy isn't allowlisting them yet — see "What CSP entries are required?" under Performance & security for the exact entries.
Common init mistakes
- Calling init() before the script has loaded.
- Wrong projectId (App ID).
- Domain not allowlisted for the workspace.
- Expecting instant capture instead of batched delivery.
- CSP blocking the script or the API host.
Expected network calls
All requests go to api.nudgg.ai.
| Endpoint | Details |
|---|---|
POST /v1/init | Immediately on init(). Bootstraps the runtime — domain check, rules, campaigns, workspace SDK settings. |
POST /v1/session/start | On init, when no active session exists yet (or the previous one expired). Opens a new session. |
POST /v1/action/capture | Batched — every 30s, once 30 events queue up, or when the tab is hidden. Delivers page views, clicks, and custom events. |
POST /v1/identity/identify | After identifyUser() or updateProfile(). Links the visitor to a known user ID and traits. |
POST /v1/identity/logout | After logout(), or when identifyUser() switches to a different userId. Clears server-side identity linkage for the ending session. |
POST /v1/session/end | On logout, user switch, or session expiry (30 min of inactivity). Closes the session. |
POST /v1/config | Only when runtimeSyncIntervalMs is set above 0. Disabled by default; positive values are clamped to at least 5 minutes. Refreshes rules, campaigns, and workspace SDK settings without a page reload. |
POST /v1/decision/trigger | Only if the workspace has campaigns, when a trigger condition matches an event. Asks the backend whether an on-site campaign is eligible to render. |
Other issues
Requests blocked by ad blockers or privacy extensions
Expected for a minority of sessions and not an SDK bug — retries succeed once the request is unblocked.
Duplicate page views
Usually another script (often a router library) is also patching history.pushState — check debug logs for a re-patch warning.
Trust
FAQ
Quick answers for marketing, security, and engineering stakeholders.