🎩 You're Invited:Meet the Socket team at Black Hat in Las Vegas, August 3-6.RSVP
Sign In

@mintlify/assistant-web

Package Overview
Dependencies
Maintainers
5
Versions
8
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@mintlify/assistant-web

Browser SDK and direct-mount boundary for Mintlify Assistant

Source
npmnpm
Version
0.0.11
Version published
Weekly downloads
367
Maintainers
5
Weekly downloads
 
Created
Source

@mintlify/assistant-web

The Mintlify Assistant browser boundary provides the hosted loader, custom-trigger API, browser transport, and direct mount lifecycle. Importing the package has no browser side effects. Browser behavior begins only after calling an exported browser function or loading the hosted script.

Hosted loader

Set the public Widget ID before loading the compatible release channel:

<script nonce="YOUR_CSP_NONCE">
  window.MintlifyAssistantSettings = {
    widgetId: 'mint_widget_example',
    context: { currentPath: window.location.pathname },
    styleNonce: 'YOUR_CSP_NONCE',
    scriptNonce: 'YOUR_CSP_NONCE',
  };
</script>
<script
  type="module"
  defer
  nonce="YOUR_CSP_NONCE"
  src="https://cdn.jsdelivr.net/npm/@mintlify/assistant-web@0.0/dist/browser/embed.js"
></script>

The @0.0 channel follows the latest compatible 0.0.x patch release. Breaking browser API changes must move to a new minor channel so existing installations do not update across them.

The loader installs window.MintlifyAssistant. Every method returns a promise after the loader has run. Calls made while its lazy runtime is loading are replayed once in invocation order.

baseUrl optionally replaces the full widget API base URL. It defaults to https://api.mintlify.com/api/assistant-widget; set it only when routing the compatible Assistant API through a proxy, regional endpoint, self-hosted deployment, or local development server.

await window.MintlifyAssistant.ready;
await window.MintlifyAssistant.open({ entryPoint: 'docs-header' });
await window.MintlifyAssistant.ask('How do I authenticate?', {
  entryPoint: 'authentication-button',
});
await window.MintlifyAssistant.update({
  context: { currentPath: window.location.pathname, version: 'v2' },
});

Entry points are trimmed strings from 1 through 100 characters. Custom triggers default to custom-trigger; the maintained trigger defaults to floating-trigger.

For controls that can run before the external script executes, install the small preload stub shown in examples/plain-html.html. Its queued open, close, focus, ask, update, newThread, and destroy calls are adopted by the loader. Repeated script loads and repeated initialization with the same Widget ID remain idempotent. Call destroy() before initializing a different widget.

identityToken is optional and exchanged only for a short-lived Assistant session. Identity, session, captcha, and trust tokens are kept in memory and are not included in browser lifecycle events. update({ identityToken }) starts a fresh thread; context, theme, and trigger visibility updates preserve the current thread.

Headless consumers

@mintlify/assistant-core remains available unchanged for standalone headless integrations with their own transports. The maintained browser widget in this package uses the AI SDK data protocol directly and does not instantiate the custom streaming core.

Content Security Policy

Allow the following origins when the corresponding CSP directives are present:

  • script-src: https://cdn.jsdelivr.net, https://challenges.cloudflare.com, and https://js.hcaptcha.com
  • connect-src: https://api.mintlify.com, https://challenges.cloudflare.com, and https://*.hcaptcha.com
  • frame-src: https://challenges.cloudflare.com and https://*.hcaptcha.com
  • style-src: https://cdn.jsdelivr.net plus the nonce passed as styleNonce for the widget's isolated inline base styles

Replace YOUR_CSP_NONCE with the request's nonce. A strict script-src policy must authorize the inline settings/preload block itself with the <script nonce> attribute; scriptNonce only propagates that value to dynamically loaded captcha scripts. The external loader may be authorized by its host or a nonce. Pass the same value as styleNonce when style-src requires a nonce for the widget's isolated inline base styles.

Browser errors include a stable code, retryable, and optional HTTP status, plus CSP guidance for blocked runtime, API, or captcha resources. When using baseUrl, allow its origin in connect-src instead of https://api.mintlify.com.

Browser artifacts

yarn build emits the versioned dist/browser/embed.js loader and a lazy dist/browser/runtime-[hash].js runtime. Renderer assets use relative hashed paths under dist/browser/assets. The build fails if browser JavaScript contains bare host-resolved imports or if the loader reaches 8 KiB gzip. Exact byte counts are written to dist/browser/size-report.json.

FAQs

Package last updated on 17 Jul 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts