Summary
PR #124 adds API key authentication support but includes no documentation updates. This issue tracks the documentation needed before the v2.5.0 release.
Documentation Items
1. API Key Feature Documentation
- Add
apiKey to the configuration options table in README
- Document
data-api-key HTML attribute for script-tag deployment
- Document the
x-api-key HTTP header behavior
- Show usage examples:
<!-- Script tag -->
<script src="userale.min.js" data-url="https://logs.example.com" data-api-key="your-key"></script>
// NPM module
userale.options({ apiKey: "your-key" });
- Document the extension auth mode selector (None / OAuth / API Key)
2. Security Documentation — API Keys as Public Identifiers
- Document that UserALE.js API keys are client-side identifiers (like Google Maps API keys), not secrets
- The key is visible in page source (
data-api-key), in the JS bundle, and in browser DevTools
- Backend should treat these as routing/identification tokens with limited scope (write-only to log ingestion, no read access)
- Recommend rate-limiting and key scoping on the backend
3. CORS / Preflight Documentation
x-api-key is NOT a CORS-safelisted header — it triggers a preflight OPTIONS request on cross-origin POST
- Backend MUST respond to
OPTIONS with Access-Control-Allow-Headers: x-api-key
- This applies equally to the existing
Authorization header
- Provide a sample CORS configuration for common backends (nginx, Express, etc.)
4. WebSocket Transport Limitations
- Document that authentication headers (
Authorization, x-api-key) are NOT sent over WebSocket transport
- WebSocket API does not support custom headers on the initial handshake
- If auth is required with WebSocket, users should pass credentials as query parameters on the WebSocket URL or use a token in the first message
5. Relationship to headers Config
- Document that
apiKey is a convenience shortcut for headers: { "x-api-key": "..." }
- Power users can use
registerHeadersCallback() for dynamic header generation
apiKey and headers can coexist (custom headers are applied last and can override)
Context
Identified during review of #124. All items are documentation-only — no code changes required.
Summary
PR #124 adds API key authentication support but includes no documentation updates. This issue tracks the documentation needed before the v2.5.0 release.
Documentation Items
1. API Key Feature Documentation
apiKeyto the configuration options table in READMEdata-api-keyHTML attribute for script-tag deploymentx-api-keyHTTP header behavior2. Security Documentation — API Keys as Public Identifiers
data-api-key), in the JS bundle, and in browser DevTools3. CORS / Preflight Documentation
x-api-keyis NOT a CORS-safelisted header — it triggers a preflightOPTIONSrequest on cross-origin POSTOPTIONSwithAccess-Control-Allow-Headers: x-api-keyAuthorizationheader4. WebSocket Transport Limitations
Authorization,x-api-key) are NOT sent over WebSocket transport5. Relationship to
headersConfigapiKeyis a convenience shortcut forheaders: { "x-api-key": "..." }registerHeadersCallback()for dynamic header generationapiKeyandheaderscan coexist (custom headers are applied last and can override)Context
Identified during review of #124. All items are documentation-only — no code changes required.