Skip to content

Platform APIs

The LMG Offers Platform has 2 main APIs:

  • Audience - The Audience API is the public GraphQL API that powers our SDK integrations.
  • Admin - Admin API is our REST API for Property administration functionality. This is used primarily by our Portal and Dashboard web apps, as well as custom 3rd party admin-level integrations.

Both APIs are intended to be consumed and integrated via our SDKs.

Contact us for more information about custom direct-API integrations.

Integration Details

Audience Verification Token

In order to verify users via the SDK, a unique token for each user must be generated and provided with the identify call. Verification ensures that users cannot impersonate each other, and is required for certain features like Offer Bookmarking.


To generate a Verification Token you'll need 2 things:

  • The Unique User ID that you've used to identify this user with the Loop Media Platform
  • The Verification Key found in your Property Settings

The Verification Key is a Base64 encoded string that contains an id and secret separate by a semicolon: id;secret.

To generate the Verification HMAC you need to:

  1. Decode the Verification Key to get the hmacId and hmacSecret
  2. Create a SHA256 HMAC that signs the Unique User ID with the hmacSecret. The format of this HMAC must be a hex digest string.
  3. Create the final Verifcation Token by joining the original Verification Key hmacId with your SHA256 HMAC Digest, in the format hmacId;sha256Digest, and encoding as a Base64 string.
// An example of how to compete a correct Audience Verification Token in Node.js
const assert = require('assert');
const crypto = require('crypto');

const verificationKey = "<YOUR PROPERTY'S VERIFICATION KEY>";

// 1. Decode the Verification Key
const decodedKey = Buffer.from(verificationKey, 'base64').toString('utf8');
const [ hmacId, hmacSecret ] = decodedKey.split(';');

// 2. Create the sha256 Hmac Digest
const hmacDigest = crypto.createHmac('sha256', hmacSecret).update(userId).digest('hex');

// 3. Encode in final Verification Token format
const = verificationToken = Buffer.from([hmacId, hmacDigest].join(';')).toString('base64');

Security Considerations

In order to be secure the HMAC token must be generated on your server, and communicated to your app or website once the user has been authenticated. Typically implementors return the computed HMAC as part of their user profile payload.