Install
Paste this tag into your site's <head> (or anywhere before </body>). Replace onb_YOUR_KEY with the API key from your install page.
<script src="https://onboardics.com/v1.js"
data-key="onb_YOUR_KEY"
async></script>That's it. The snippet auto-captures page views, clicks, rage clicks, scroll depth, session end, errors, and several other engagement signals listed below — no additional wiring required. For React/Next/Vue/Svelte/Shopify/WordPress/Webflow-specific instructions (including framework auto-detection), see the install page inside the dashboard.
Auto-captured events
The snippet emits these events without any additional code. All are subject to your setConsent() gate (below) — when consent is false, nothing is emitted.
| Event type | When it fires |
|---|---|
| page_view | On load + SPA navigation. Includes UTM, first-touch referrer, viewport, and device_type in metadata. |
| click | Any click on a button, link, or interactive element. Element selector, visible text (up to 80 chars), and x/y coordinates captured. |
| rage_click | 3 clicks within 500ms in a 30px radius. Signals UX friction. |
| scroll_depth | Max % scrolled per page, bucketed 0/25/50/75/100. Emitted on pagehide. |
| time_on_page | Per-page duration emitted on pagehide + SPA nav. |
| visibility_change | Tab visibility state transitions (hidden/visible). |
| idle | 2+ minutes of no activity. Capped at 3 per session. |
| session_end | On pagehide. Includes session_duration_seconds, page_count, event_count. |
| js_error | Captures window.onerror + unhandledrejection. PII-redacted on-device (see setErrorCapture). |
| form_interaction | Focus / blur / submit. Field names emitted, never field values. Denylist redacts password, ssn, cvv, card, token, etc. |
| identify | Fired when identify() is called. |
| custom | Anything fired via track(). |
| flow_* | flow_impression, flow_step_view, flow_step_complete, flow_dismissal, flow_completion. Auto-emitted by the flow engine when in-app flows render. |
Want to learn more about a specific event type or how these power audience segmentation? See engagement events and error capture.
identify(data)
Attach a user identity to the current session and all subsequent events. Call on login, signup, or any time you learn who the user is.
window.__onboardics.identify({
email: 'user@example.com',
userId: 'user_123',
name: 'Jane Smith',
plan: 'growth',
signupDate: '2026-01-15',
// ...any other properties
});Validation: payload capped at 4 KB. Objects flattened at depth > 1. Functions and symbols rejected. Email format checked. Persists to localStorage as _ob_identity so identity survives page reloads until you call identify(null) or the user clears storage.
track(name, properties)
Emit a product-specific custom event. Use for behavior that matters to you but isn't auto-captured (form published, invite sent, payment completed, etc.). Once tracked, you can build AI-defined audience segments around these events.
window.__onboardics.track('form_published', {
formId: 'f_abc123',
fieldCount: 8,
templateId: 'contact-form-v2'
});Event name must be a string. Properties object is optional but recommended — it powers segment conditions like "users who called track('form_published') 3+ times."
setConsent(true | false)
GDPR/CCPA consent gate. When false, the snippet emits NO events — including errors. Default behavior honors navigator.globalPrivacyControl.
// User accepted cookies
window.__onboardics.setConsent(true);
// User declined, or opted out later
window.__onboardics.setConsent(false);Termly is auto-detected. If you use Termly for consent management, you don't need to call setConsent() at all — the snippet reads Termly's analytics consent from localStorage on load and re-checks every 30 seconds. Cookiebot and OneTrust currently require manual wiring; auto-detection for those is on the roadmap.
setErrorCapture(true | false)
Opt out of automatic JS error capture. Default is on.
window.__onboardics.setErrorCapture(false);Before any error data leaves the browser, a 9-pattern redaction chain strips Bearer tokens, API keys (sk_test_..., pk_live_...), URL query-string secrets, emails, UUIDs in URL paths, long numeric IDs, credit-card-like digit sequences, phone numbers, and Mac/Linux home-directory paths. Capped at 10 error events per session, deduplicated by message+file+line+column. Full PII-redaction spec at /security.
A/B variant assignment
When you create an A/B test in the Flows dashboard, the snippet deterministically assigns each session to variant A or B based on a hash of session_id. Assignment is sticky across sessions via localStorage._ob_ab — a user who lands on variant A stays on A if they return from a new tab three days later.
Statistical validity of the two-proportion z-test isn't corrupted by cross-session variant flipping. Safe to run A/B tests without caveating "results may be noisy for returning users."
Debug mode
Turn on verbose logging to see exactly what the snippet is doing. Two ways:
// Query string (useful for sharing a debug link)
https://yoursite.com/?_ob_debug=1
// Programmatic
window.__onboardics.setDebug(true);Every event emit, consent state change, flow render, identify/track call, and ingestion error will log to the console with a [onboardics] prefix. Safe to leave on in production — logs only, no extra network calls.
Pin a specific snippet version (SRI)
If your compliance program requires subresource integrity on third-party scripts, every snippet release is published at an immutable content-addressed URL with a SHA-384 integrity attribute. Fetch the current hash:
curl https://onboardics.com/v1/manifest.jsonPaste the returned url and integrity into your install tag:
<script
src="https://onboardics.com/v1/<hash>.js"
integrity="sha384-<base64>"
crossorigin="anonymous"
data-key="YOUR_KEY"
async></script>Full SRI spec + the grace-period / breakage trade-offs at /security#sri.
React hook
The snippet is the SDK. Drop this 8-line hook into your codebase for a React-idiomatic wrapper — no package install required.
// onboardics.js — copy into your hooks folder
import { useCallback } from 'react';
export function useOnboardics() {
const identify = useCallback((data) => {
window.__onboardics?.identify?.(data);
}, []);
const track = useCallback((name, properties) => {
window.__onboardics?.track?.(name, properties);
}, []);
return { identify, track };
}More
Full API reference with every method, event property, and error code is coming soon. If you need detail on something not covered here, email us — we usually respond within 24 hours and will add it to this page.
- Engagement events — the product-level explanation of scroll, session, idle, and custom events.
- Error capture — PII-redaction patterns and opt-out semantics.
- Audience segments — turning tracked events into targetable cohorts.
- Security — full privacy + security spec sheet.