Widget installation
This page describes the supported way to embed the widget in production: versioned CDN with Subresource Integrity (SRI), Content-Security-Policy policy and fallback to a pinned version when @latest moves.
Prerequisites
- A Widget Token (header
X-Widget-Token). If you don't have one yet, follow Authentication → Widget Token. - A container in your template, typically a
<div id="neuroon-search"></div>. - Permission to add a
<script>in<head>or before</body>.
Base snippet
<div id="neuroon-search"></div>
<script
src="https://cdn.neuroon.ai/widget/widget.js"
data-token="YOUR_WIDGET_TOKEN"
data-container="#neuroon-search"
data-theme="auto"
data-locale="es"
></script><div id="neuroon-search"></div>
<script
src="https://cdn.neuroon.ai/widget@0.9.10/widget.js"
data-token="WIDGET_TOKEN_HERE"
data-container="#neuroon-search"
data-theme="auto"
data-locale="es"
data-api-url="https://api.neuroon.ai"
async
></script>
The script auto-initializes: it detects data-token, mounts the Shadow DOM in the data-container and renders the UI. You don't have to call any extra JavaScript API for the standard flow.
Subresource Integrity (SRI)
Each widget release publishes an SRI manifest with the SHA-384 hash of the bundle:
https://cdn.neuroon.ai/widget@0.9.10/integrity.json
Add it to the <script> so the browser rejects any CDN tampering:
<script
src="https://cdn.neuroon.ai/widget@0.9.10/widget.js"
integrity="sha384-AbCdEf123…" crossorigin="anonymous"
data-token="WIDGET_TOKEN_HERE"
data-container="#neuroon-search"
async
></script>
data-* attributes
| Attribute | Required | Value |
|---|---|---|
data-token | yes | 24 h Widget Token signed by your own server with the Shop API Key (HMAC). |
data-container | yes | CSS selector of the container. By default auto-init looks for #neuroon-search. |
data-theme | no | auto (default), light, dark. |
data-locale | no | ISO code from the 9 supported locales. Default es. |
data-api-url | no | API base URL override. Default https://api.neuroon.ai. |
data-primary-color | no | Hex/rgb of the primary color (legacy; prefer StyleOverrides). |
data-placeholder | no | Empty-input text. |
data-suggestions, data-filters | no | false to disable the feature. |
Content-Security-Policy
If your host enforces strict CSP, the widget needs these directives:
script-src 'self' https://cdn.neuroon.ai;
connect-src 'self' https://api.neuroon.ai ;
img-src 'self' data: https:;
font-src 'self' https://rsms.me;
style-src 'self' 'unsafe-inline';
connect-src— the widget calls the API and, if monitoring is enabled, reports tobrowser-intake-datadoghq.eu.font-src https://rsms.me— the widget preconnects and loads the Inter family from rsms.me.style-src 'unsafe-inline'— required because the widget injects<style>inside the Shadow DOM. Shadow DOM isolates that stylesheet from the host document.
Variants per environment
| Environment | CDN | API |
|---|---|---|
| Production | https://cdn.neuroon.ai/widget@0.9.10/widget.js | https://api.neuroon.ai |
| Development | same CDN, same versions | https://dev-api.neuroon.ai |
To point at Development, simply set data-api-url="https://dev-api.neuroon.ai". The widget bundle is the same.
Programmatic initialization (optional)
Auto-init covers most integrations. If you need fine-grained control (lazy-load, multiple instances, dynamic server-side configuration), use the JavaScript API:
const widget = window.NeuroonWidget.init({
container: '#neuroon-search',
token: 'WIDGET_TOKEN_HERE',
apiUrl: 'https://api.neuroon.ai',
theme: 'auto',
locale: 'es',
})
// Methods available on the instance
widget.setTheme('dark')
widget.setStyles({ primary: '#06b6d4' })
widget.destroy()
Further reading
- Configuration — full
NeuroonWidgetConfig. - Theming —
--nrn-*variables and per-theme overrides. - Authentication → Widget Token — issuance and rotation.