Onboarding FAQs

How do I use Anon to automate actions via my backend app?

First, the end-user needs to link their account (in Web, this is via the Chrome extension triggered in the frontend app).

That saves the user session in Anon, so your backend app can use it.

The onboarding flow will walk you through an example of doing so above.

Connection flow: open dialog → confirm extension → login into IG → green checkmark in dialogue

The end user’s session is now saved, and Anon could now access it via the end user’s user_app_id in your backend app.

Anon’s example credentials only provided one example user. How do I generate a new example_app_user_id and token?

The credentials Anon provided include an example JWKS; this should be used for testing only. For production, we strongly recommend using your own JWKS.

That said, here is how to generate another example app user using Anon’s provided JWKS.

Could I create another UserPool or SdkClient?

Yes! You can have multiple UserPool and SdkClient within your Organization — each UserPool requires a JWKS, which could be the mock one provided by Anon or your own.

Each SdkClient has one corresponding UserPool.

Note apps reference the SDK_CLIENT_ID, so you’d need to re-set that value.

How do I use my own identity provider?

Create a new UserPool with your provider’s JWKS. Then, create a SdkClient corresponding to that new UserPool.

Since apps reference a SDK_CLIENT_ID, be sure to change those as needed to your new SdkClient’s id.

What if I create JWTs without going through an OAuth provider?

You could host your own JWKS and use that to create a SdkClient.

  • Follow this guide. You must use a JWT with the required claims and "sub" to uniquely identify the user as an appUserIdToken. We also require the "kid" header, which specifies the key signing the JWT.
  • Your JWKS could have one or multiple public keys. Host it at a URL like https://yourcompany.ai/.well-known/jwks.json, per convention.

I’m done testing. How do I use Anon in prod environment?

Contact Anon and we’ll generate prod credentials for you.

Given prod credentials and your JWKS, create a new SdkClient corresponding to your JWKS.

General FAQs

We have an in-house auth system. Do we need to use OpenID Connect (OIDC)?

No, OIDC is not required. You can integrate your in-house system with Anon by implementing a custom JSON Web Token (JWT) solution. Here’s how:

Integration Troubleshooting

Anon endpoints

Creating UserPool: Unauthorized or "error": "Upstream error"

Make sure you’re using Authorization: Bearer <session_token>

Creating UserPool: error decoding response body: expected value at line 1 column 1

Check that the JWKS url you created is public. Anon’s interaction with the url is that Anon’s servers download the key set and use it to verify signatures of your JWT ID tokens.

Frontend app

CORS issue

Access to fetch at 'https://svc.sandbox.anon.com/account/api/v1/appIntegration?id=instagram' from origin 'https://link.svc.sandbox.anon.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Cause: end-user’s browser interprets an Unauthorized Error as a CORS error, because it’s from an Options HTTP request.

Check that the frontend app’s config has correct values.

For "clientId", check that it’s the SdkClient corresponding to the UserPool which points to your desired JWKS.

  • If you’re using an Anon-provided 1password file with multiple SdkClients, check that you’re using the webapp SdkClient, not the service SdkClient
  • If you’re generating your own JWTs, refer to this FAQ.

For "appUserIdToken", check that the app user credentials come from the JWKS corresponding to the SdkClient.

  • If you’re using an Anon-provided 1password file, it is example_app_user_id_token. You can generate additional example appUserIdTokens as follows.
  • If you’re generating your own JWTs, check that they have a "kid" header, which specifies the key signing the JWT. They should be signed with the same kid as what’s in your JWKS.

Check that you’re using the correct SdkClient, which should correspond to the UserPool you want to use. If you’re switching to a new identity provider, create a new UserPool pointing to its JWKS and a corresponding SdkClient and verify you’re using the new SdkClient’s id.

Backend app

SyntaxError: Unexpected token 'export'

Add "type": "module" to your package.json file. This sets your project to use ECMAScript modules (ESM) instead of CommonJS, enabling the use of import and export statements.

Error translating external user id: 404 - Not Found

Check that the end-user had been linked. If using the examples, the appUserId on the backend app should correspond to an appUserIdToken you had linked on the frontend app.

Connect the user via your frontend app and Chrome extension, and try again.

Error translating external user id: 500 - Internal Server

Check that the end-user had been linked. If using the examples, the appUserId on the backend app should correspond to an appUserIdToken you had linked on the frontend app.

Connect the user via your frontend app and Chrome extension, and try again.

ERR_TUNNEL_CONNECTION_FAILED

Check that the end-user had been linked. If using the examples, the appUserId on the backend app should correspond to an appUserIdToken you had linked on the frontend app.

Connect the user via your frontend app and Chrome extension, and try again.

Error translating external user id: 429 - Too Many Requests

If you’re sending a large number of requests, you might be hitting Anon’s ory rate limit. Check that your app’s environment is configured as "prod" instead of "sandbox" or "staging", since that has better rate limits.

Specific integrations

Amazon

Symptom: Auto-closing sign-in page for users with existing sessions

Description: When a user with a saved session in Anon connects, the sign-in page briefly appears before automatically closing after a few seconds.

Status: Expected behavior

Note: This process ensures session validation while minimizing user interaction for those already authenticated.