​

Onboarding FAQs

​

How do I use Anon to automate actions via my backend app?

• First, the end-user needs to link their account (in Web, this is via the Chrome extension triggered in the frontend app).

  That saves the user session in Anon, so your backend app can use it.

  The onboarding flow will walk you through an example of doing so above.

​

How do I link an end-user via my frontend app?

• Connection flow: open dialog → confirm extension → login into IG → green checkmark in dialogue

  The end user’s session is now saved, and Anon could now access it via the end user’s user_app_id in your backend app.

​

Anon’s example credentials only provided one example user. How do I generate a new example_app_user_id and token?

• Note: The credentials Anon provided include an example JWKS; this should be used for testing only. For production, we strongly recommend using your own JWKS.
• That said, if you are using Anon’s 1password-provided JWKS, you can generate additional JWTs with this script:

from jwcrypto import jwk, jwt
import uuid
from datetime import datetime, timedelta

# FILL IN from 1password, may be `jwks.json` or "JWKS export"
jwks_json = "jwks.json"
# FILL IN from 1password, may be `jwks_url` or "JWKS url"
jwks_url = "YOUR_JWKS_URL_HERE"
key_name = jwks_url.split('/')[-1].split('.')[0]  # eg "Anon-13236"
# FILL IN from 1password credentials, may be `admin_email` or "Admin Member email"
org_email = "YOUR_ORG_EMAIL_HERE"

with open(jwks_json, "r") as f:
    jwks = f.read()

keyset = jwk.JWK.from_json(jwks)

key_type = "RSA"
alg = "RS256"
size = 2048
use = "sig"
timestamp = datetime.utcnow()
exp = int((timestamp + timedelta(days=30)).timestamp())
iat = int(timestamp.timestamp())

app_user_id = str(uuid.uuid4())
app_user_jwt = jwt.JWT(
    header={"alg": alg, "kid": key_name},
    claims={
        "email": org_email,
        "iat": iat,
        "iss": "urn:example:issuer",
        "aud": "urn:example:audience",
        "exp": exp,
        "sub": app_user_id,
    },
)

app_user_jwt.make_signed_token(keyset)
app_user_id_token = app_user_jwt.serialize()
print(app_user_id_token)

• If you are using an Anon-hosted UserPool, use the endpoint /appUserIdToken to issue a new appUserIdToken.

​

Could I create another UserPool or SdkClient?

• Yes! You can have multiple UserPool and SdkClient within your Organization — each UserPool requires a JWKS, which could be the mock one provided by Anon or your own.

  Each SdkClient has one corresponding UserPool; follow this guide to create them.

  • Note apps reference the SDK_CLIENT_ID, so you’d need to re-set that value.

​

How do I use my own identity provider?

• Follow this guide to create a new UserPool with your provider’s JWKS. Then, create a SdkClient corresponding to that new UserPool.

  Since apps reference a SDK_CLIENT_ID, be sure to change those as needed to your new SdkClient’s id.

​

What if I create JWTs without going through an OAuth provider?

• You could host your own JWKS and use that to create a SdkClient.
  • Follow this guide.
• You must use a JWT with the required claims and "sub" to uniquely identify the user as an appUserIdToken. We also require the "kid" header, which specifies the key signing the JWT.
  • Your JWKS could have one or multiple public keys. Host it at a URL like https://yourcompany.ai/.well-known/jwks.json, per convention.

​

I’m done testing. How do I use Anon in prod environment?

• Contact Anon and we’ll generate prod credentials for you.

  Note for prod, you’d want to use your own identity provider.

  Given prod credentials and your JWKS, create a new SdkClient corresponding to your JWKS.

​

General FAQs

​

We have an in-house auth system. Do we need to use OpenID Connect (OIDC)?

• No, OIDC is not required. You can integrate your in-house system with Anon by implementing a custom JSON Web Token (JWT) solution. Here’s how:

​

Integration Troubleshooting

​

Anon endpoints

​

Creating UserPool: Unauthorized or "error": "Upstream error"

• Make sure you’re using Authorization: Bearer <session_token>

​

Creating UserPool: error decoding response body: expected value at line 1 column 1

• Check that the JWKS url you created is public. Anon’s interaction with the url is that Anon’s servers download the key set and use it to verify signatures of your JWT ID tokens.

​

Frontend app

​

CORS issue

Access to fetch at 'https://svc.sandbox.anon.com/account/api/v1/appIntegration?id=instagram' from origin 'https://link.svc.sandbox.anon.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

• Cause: end-user’s browser interprets an Unauthorized Error as a CORS error, because it’s from an Options HTTP request.
• Check that the frontend app’s config has correct values.
• For "clientId", check that it’s the SdkClient corresponding to the UserPool which points to your desired JWKS.
  • If you’re using an Anon-provided 1password file with multiple SdkClients, check that you’re using the webapp SdkClient, not the service SdkClient
  • If you’re generating your own JWTs, refer to this FAQ.
• For "appUserIdToken", check that the app user credentials come from the JWKS corresponding to the SdkClient.
  • If you’re using an Anon-provided 1password file, it is example_app_user_id_token. You can generate additional example appUserIdTokens as follows.
  • If you’re generating your own JWTs, check that they have a "kid" header, which specifies the key signing the JWT. They should be signed with the same kid as what’s in your JWKS.

​

500 response for AnonLink.init()

• Check that you’re using the correct SdkClient, which should correspond to the UserPool you want to use.
• If you’re switching to a new identity provider, create a new UserPool pointing to its JWKS and a corresponding SdkClient and verify you’re using the new SdkClient’s id.

​

Backend app

​

SyntaxError: Unexpected token 'export'

• Add "type": "module" to your package.json file. This sets your project to use ECMAScript modules (ESM) instead of CommonJS, enabling the use of import and export statements.

​

Error translating external user id: 404 - Not Found

• Check that the end-user had been linked. If using the examples, the appUserId on the backend app should correspond to an appUserIdToken you had linked on the frontend app.
• Connect the user via your frontend app and Chrome extension, and try again.

​

Error translating external user id: 500 - Internal Server

• Check that the end-user had been linked. If using the examples, the appUserId on the backend app should correspond to an appUserIdToken you had linked on the frontend app.
• Connect the user via your frontend app and Chrome extension, and try again.

​

ERR_TUNNEL_CONNECTION_FAILED

• Check that the end-user had been linked. If using the examples, the appUserId on the backend app should correspond to an appUserIdToken you had linked on the frontend app.
• Connect the user via your frontend app and Chrome extension, and try again.

​

Error translating external user id: 429 - Too Many Requests

• If you’re sending a large number of requests, you might be hitting Anon’s ory rate limit. Check that your app’s environment is configured as "prod" instead of "sandbox" or "staging", since that has better rate limits.

​

Specific integrations

​

Amazon

• Symptom: Auto-closing sign-in page for users with existing sessions

  Description: When a user with a saved session in Anon connects, the sign-in page briefly appears before automatically closing after a few seconds.

  Status: Expected behavior

  Note: This process ensures session validation while minimizing user interaction for those already authenticated.