Advanced! Developers with backend access to your LMS/Website is required for this method to work
Getting Started
Before you begin the integration, you’ll need to gather some information from your Replay account:1. Get Your Secret Key
- Navigate to Company Settings (may be labeled as “Manager Portal” in newer versions)
- Copy your Secret Key - this is what you’ll use to sign your JWT tokens
- Store this securely in your environment variables
Keep your secret key secure and never expose it in client-side code
2. Choose Your Activity Type
Replay supports embedding different types of activities. You can get the iframe code for each from different locations:All Roleplays Page
All Roleplays Page
Location: Use the Share menu on your main roleplays pageWhat it includes: Gives users access to all folders and roleplays you’ve set upActivity Type:
all-roleplaysBest for: When you want users to browse and select from multiple roleplaysSpecific Roleplay
Specific Roleplay
Location: Build Roleplay → Export → Iframe tabWhat it includes: Direct access to one specific roleplayActivity Type:
premade-roleplayBest for: When you want users to complete a specific roleplay exerciseScript Memorization Activity
Script Memorization Activity
Location: Script Memorization activity → Export → Iframe tabWhat it includes: Direct access to a script memorization exerciseActivity Type:
scriptBest for: When you want users to practice memorizing specific scripts or content1
Copy the Iframe
Each activity requires a specific iframe configuration. Here’s the base template:
Important: The
id attribute should be a unique UUID (as shown in the example above). If you need to select or reference the iframe in your JavaScript code, use the data-ai-activity-locator="ai-activity-iframe" attribute instead of relying on the id, as this provides a more reliable selector that won’t change.Do I have to copy the iframe every time? Or can I make it more dynamic?
Do I have to copy the iframe every time? Or can I make it more dynamic?
You do not need to copy the iframe every time. You are free to make it more dynamic by generating the iframe on your side, but in order to get the user into the correct activity, we will need the following:src attributes:
a base url(typically https://yourcompany.replay.sale)activityId(the unique id of the activity you want to load)activityType(the type of activity you want to load)integrationJwt(a signed JWT that has the required claims. See step 2 for more details)
allow="microphone; camera; clipboard-write; downloads; display-capture"microphoneandcameraallow us to record the userclipboard-writeallows the user to copy a link to their roleplay analysisdownloadsallows the user to download their audio / video recording
2
Generate a Signed JWT
You must generate a unique JWT for each user using your secret key. The JWT requires these claims:
learnerName- User’s name (first, last, or both) - used for personalization in the roleplayuniqueIdentifier- Your database’s unique identifier for this user (UUID, email, etc.)originDomain- Your company’s domain identifier (see details below)
How User Identification Works
How User Identification Works
User Creation/Linking Logic:Replay uses the combination of
originDomain + uniqueIdentifier to either:- Create a new user if this combination doesn’t exist in our database
- Link to an existing user if this exact combination already exists
uniqueIdentifieralone isn’t enough because different companies might use simple IDs like “1”, “2”, “3”originDomainprevents collisions between different companies using the same simple identifiers- Together, they create a unique namespace for each company’s users
What is originDomain and how should I set it?
What is originDomain and how should I set it?
The
originDomain is used to namespace users and prevent collisions between different companies or systems. Here’s what you need to know:Purpose: If you use simple identifiers like 1, 2, 3 for users, and another company also uses 1, 2, 3, we need a way to distinguish between “User 1 from Company A” and “User 1 from Company B”.How to set it:- Use your main company domain (e.g.,
mycompany.com,microsoft.com,google.com) - It does NOT need to match the actual domain where the iframe is hosted
- Use the same value consistently for all users within your organization
- For multi-tenant systems, you can use the same domain for all your customers
- Can be your company’s landing page, documentation site, or main application domain
- Single company:
"originDomain": "mycompany.com" - Multi-tenant SaaS:
"originDomain": "mycompany.com"(same for all customers)
Multi-Company Setup & Security
Multi-Company Setup & Security
If you manage multiple separate companies/clients:Each company should have its own secret key for security. This ensures that:
- Company A cannot access Company B’s activities, even if they somehow obtain an iframe URL
- Users are properly isolated between companies
- Activity access is controlled at the company level
- Each activity belongs to a specific company in Replay
- The secret key you use to sign the JWT determines which company the user belongs to
- When a user accesses an activity, we use the activity ID to look up which company owns it
- We then validate the JWT signature against that company’s secret key
- Users can only access activities if their JWT was signed with the correct company’s secret key
- Create separate child companies in Replay for each of your clients
- Get a unique secret key for each company
- Store and use the appropriate secret key when generating JWTs for each company’s users
Need a secret key or lost yours? Contact us through email (hello@replay.sale) or Slack
3
Implement the Integration
- Generate the signed JWT for your user
- Replace
<INPUT_INTEGRATION_JWT>in the iframe src with your signed JWT - Load the iframe
Best practice: Create a function that handles JWT generation and iframe src updates before loading. When selecting the iframe in your JavaScript code, always use
document.querySelector('[data-ai-activity-locator="ai-activity-iframe"]') instead of getElementById() since the id is a unique UUID that will vary.4
Test Your Integration
Load your page and verify that:
- The iframe loads successfully
- User information is correct
- Recording permissions work
- Downloads function properly
Code Examples
Frequently Asked Questions
How do I handle multiple companies/clients in my system?
How do I handle multiple companies/clients in my system?
Each company should be set up as a separate entity in Replay with its own secret key.Setup process:
- Contact us to create child companies for each of your clients
- Get a unique secret key for each company
- Store the appropriate secret key for each company in your system
- Use the correct secret key when generating JWTs for users belonging to that company
What should I use for originDomain in a multi-tenant system?
What should I use for originDomain in a multi-tenant system?
Use the same domain for all your customers (e.g.,
"mycompany.com").The originDomain is for namespacing users between different systems, not between customers. Since all your customers’ users are coming through your system, they should all use the same originDomain.Company separation is handled by:- Using different secret keys for each company
- Each activity belonging to a specific company in Replay
Can users access activities from other companies?
Can users access activities from other companies?
No, if set up correctly.Here’s exactly how the security validation works:
- When a user accesses an activity, we use the activity ID from the iframe URL to look up which company owns that activity
- We then validate the JWT signature against that specific company’s secret key
- If the JWT wasn’t signed with the correct company’s secret key, access is denied
Do I need different originDomain values for different customers?
Do I need different originDomain values for different customers?
No. The
originDomain is used to distinguish between different integration systems (e.g., “Microsoft vs Google”), not between customers within the same system.If you’re managing multiple customers through your platform, use the same originDomain for all of them. Company separation is handled through different secret keys and the activity ownership system.Message Passing
After the user completes the roleplay, the iframe will send messages to the parent window containing information about the user’s performance and progress. To receive these messages, you’ll need to set up an event listener in your parent window.Setting Up the Listener
Add this code to your parent window to receive messages from the Replay iframe:When do we pass the message?
The message will be passed when the “Analysis” page is loaded for a roleplay that has been completed within the past 1 minute.Message Interface
The message type will always be “roleplay_result” and will contain both the overall score and the complete result object.