DuckVizBeta
SDK

Overview

Node-only server SDK for proxying DuckViz AI endpoints from your backend.

@duckviz/sdk is a Node.js SDK that proxies AI requests to DuckViz from your server. It keeps your API token out of the browser and lets you attach access control, logging, and billing to every request.

Node.js only

This package is server-side only. It cannot be imported in browser code — the "browser": false field in package.json enforces this.

Installation

npm install @duckviz/sdk

The SDK has optional peer dependencies for each framework adapter (hono, fastify, express) — install only the one you use.

Scaffolding from scratch?

npx duckviz create-app my-app already wires the SDK proxy at app/api/duckviz/[...route] plus the customFetch rewrite Explorer / Report / Deck need to actually call it. Read on if you're integrating into an existing backend; otherwise the packages quickstart skips most of this.

What you get

Composable classes

DuckvizWidgetFlow, DuckvizReports, DuckvizLogFormatDetector, DuckvizCredits, DuckvizUsage.

Framework adapters

Drop-in Next.js, Hono, Fastify, and Express handlers that proxy every DuckViz endpoint.

Typed errors

DuckvizAuthError, DuckvizQuotaExceededError, DuckvizRateLimitError, and more.

Authentication

Personal Access Tokens (dvz_live_*) with per-user credit accounting.

Authentication

The SDK uses Personal Access Tokens (PAT) for authentication. Generate a token from the DuckViz app:

  1. Go to app.duckviz.com/settings/tokens
  2. Click Create Token
  3. Copy the token (starts with dvz_live_)

Store it in an environment variable:

DUCKVIZ_API_TOKEN=dvz_live_abc123...

Every SDK class accepts this token via its constructor:

import { DuckvizWidgetFlow } from "@duckviz/sdk";

const widgetFlow = new DuckvizWidgetFlow({
  token: process.env.DUCKVIZ_API_TOKEN!,
});

Token security

PAT format is dvz_live_<24 base62 chars> — 24 random characters of unbiased entropy. Tokens are shown to you exactly once at creation and cannot be retrieved later; lose the original and you must mint a new one.

On the server we store a salted hash, never the token itself:

  • Algorithm: PBKDF2-SHA256, 100,000 iterations, 16-byte random salt, 32-byte output
  • Storage format: Django-style — pbkdf2_sha256$100000$<salt_b64>$<hash_b64>
  • Why PBKDF2: it runs natively in the Cloudflare Workers Web Crypto API. Argon2 would need WASM and a meaningful cold-start cost we'd rather avoid

Verification adds about 10–50 ms per request — acceptable because tokens are long-lived and verifications are infrequent compared to general traffic.

For O(1) lookup without a full table scan, the first 8 characters of the random portion are stored in a partial index (WHERE revoked_at IS NULL); the rare prefix collision is resolved by iterating active rows. Revocation flips revoked_at and the next request fails 401 — no stale-cache window.

Common constructor options

All SDK classes share the same constructor shape:

Prop

Type

Quick start with Next.js

The fastest path is the Next.js App Router catch-all handler:

// app/api/duckviz/[...route]/route.ts
import { createDuckvizHandlers } from "@duckviz/sdk/next";

export const { POST, GET } = createDuckvizHandlers({
  token: process.env.DUCKVIZ_API_TOKEN!,
});

Then configure the Explorer to use your proxy:

<Explorer
  customFetch={(input, init) => {
    const url = typeof input === "string" ? input : input.url;
    const proxied = url.replace(/^\/api\//, "/api/duckviz/");
    return fetch(proxied, init);
  }}
  authenticated={true}
  // ... other props
/>

See Adapters for the full Next.js, Hono, Fastify, and Express guides, or Server Proxy Setup for access control patterns.

@duckviz/ui

Radix-based UI primitives and CSS theme system for DuckViz components.

Classes

Composable SDK classes for widget flow, reports, log detection, credits, and usage.

On this page

InstallationWhat you getAuthenticationToken securityCommon constructor optionsQuick start with Next.js