synthient

Best Practices

Synthient gives a high level of control with the API, if misused this can lead to a poor user experience or defeat many of the protections that Synthient provides. This page will contain a list of best practices to ensure you are getting the most out of Synthient.

Performance Optimizations

If you create multiple tokens with the same instance or if you are using the secure sign tokens you'll want to create a global instance of the Synthient client. This will allow you to reuse the same instance and avoid the overhead of creating a new instance each time.

// Initiate the client on page load
window.addEventListener('load', async () => {
    window.shield = await Synthient()
});

Caching

In cases where you want to reduce the number of tokens generated, you should persist to localStorage or sessionStorage instead of on each page load. This will reduce the number of API calls made.

Do not cache secure tokens as they will be blocked and have an expiration to prevent replay attacks.

Sign Tokens

Sign tokens should be generated on user interaction, such as clicking a button or submitting a form. This will ensure that the user is actively engaging with your application and is not a bot. In the background, numerous checks are performed which will ensure that the user is legitimate.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <script id="synthient-public-key" value="YOUR_PUBLIC_KEY" src="https://cdn.synthient.com/client.js"></script>
    <title>Form</title>
</head>
<body>
    <script>
        window.addEventListener('load', async () => {
            window.shield = await Synthient()
        });
    </script>
    <form id="myForm" action="/your-server-endpoint" method="post">
        <button type="button" onclick="sign()">Click Me</button>
        <input type="hidden" id="token" name="token">
    </form>
    <script src="script.js"></script>
</body>
</html>

Backend Enforcement

The core libraries provide a high-level verifyToken function that can be used to validate that the token is valid.

const {
     verifyToken,
     Client 
} = require('@synthient/synthient');
const client = new Client("SYNTHIENT_API_KEY");
const lookupResponse = client.lookup("...");
const isValid = verifyToken(lookupResponse, TokenType.METRICS);
console.log('Token is valid:', isValid);

If you decide to implement your own token system, ensure the following for the best security:

  • consumed: when a lookup is first performed the consumed field is set to false. Afterward, this value becomes true, which ensures that the token is only used once. Preventing replay attacks.
  • solved: When working with sign tokens the user performs an additional series of checks to prevent against automated clients. This field should always be true.
  • token_type: Make sure the token being used matches the token type that was generated. This will ensure that the token is being used for the correct purpose.
  • page: Make sure the pages match from where you are generating a token.

Tokens will expire after a certain amount of time, expired tokens will have solved set to false to prevent tokens from being reused.