Web SDK
Browser quickstart for @layers/amba-web — install, configure, first track, first auth, first collection insert in under 10 minutes.
@layers/amba-web is the browser SDK. It exposes the full 25-namespace amba surface.
Bundle footprint: ~30 KB gzipped for the entry point, plus a ~150 KB gzipped WASM binary loaded lazily on first Amba.configure().
1. Install
Works in any modern bundler — Vite, Next.js, SvelteKit, Astro, Remix, Webpack, Rspack. Pure ES module, sideEffects: false, tree-shakes cleanly.
2. Configure at app start
Call Amba.configure({ apiKey }) once before any other SDK method. The first call loads the WASM binary and seeds an anonymous identity from localStorage.
Set VITE_AMBA_API_KEY=amb_dev_ck_XXXX in your .env.local (replace amb_dev_ck_XXXX with the key from amba init or app.amba.dev).
For Next.js use NEXT_PUBLIC_AMBA_API_KEY; for Create React App use REACT_APP_AMBA_API_KEY. Anything client-readable works — the dev key is safe to ship (server-side auto-RLS scopes every request to the signed-in user; the key itself can't read another tenant's data).
3. First auth
Sign in anonymously to get an appUserId you can attach data to. Every other client-side call (events.track, collections.insert, storage.upload, …) is gated on a live session, so this step comes before any of those. For email / Apple / Google sign-in see the auth section.
4. First event
Now that the SDK holds a session token, track an event:
You can confirm the event landed by visiting the project dashboard at app.amba.dev → Events (typically visible within ~10 seconds).
Why auth first? Every
/v1/client/*endpoint except the auth flows themselves runs underclientSessionAuthserver-side. Callingevents.track(or any other namespace method) beforesignInAnonymouslyreturns401 Unauthorized — session token missing or expired. Anonymous-but-unauthenticated event tracking — attributing events to ananonymous_idwith no session token — isn't supported in v1.
5. First collection insert
Insert a row into a collection you've already created via amba collections create posts --field title:text --field body:text. The server stamps user_id from your session token, so client-supplied user_id is ignored.
Auto-RLS is enforced server-side: even if you call find with no filter, you only see your own rows.
Authentication
Refresh tokens are rotated server-side on every refresh and stored as sha256 hashes. The SDK schedules silent token refresh ahead of expiry; you generally never have to call refresh() manually.
Collections
Supported operators on where: eq, ne, gt, gte, lt, lte, in, notIn, like, ilike, isNull, isNotNull, plus and, or, not for composition. See collections for the full DSL.
Storage uploads
storage.upload() runs the full presign → PUT → commit flow against your storage bucket.
Buckets are created via amba storage create-bucket avatars --public. See storage for retention policies and image transforms.
Push (web push)
AI proxy
Provider keys live server-side. You only ship the prompt slug (managed in the console) and runtime variables. See AI gateway.
Config + flags
Common pitfalls
- Calling
Amba.*beforeawait Amba.configure(...)resolves throws"amba SDK not configured". Either await it at app entry or guard withAmba.appUserId === undefined. - WASM loaded twice — the entry-point loader is idempotent. If you see two
amba_core_bg.wasmrequests in the network tab, your bundler is duplicating the module — check for two copies of@layers/amba-core-wasminpnpm why @layers/amba-core-wasm. - CSP
wasm-unsafe-eval— strict CSPs need'wasm-unsafe-eval'inscript-src. Without it, the browser refuses to instantiate the WASM module.
See also
- Client API reference — HTTP endpoint reference for every namespace.
- Code samples — same operations side-by-side with the other 7 SDKs.
- React hooks SDK —
useUser,useCollection,useFlagon top of@layers/amba-web.