# External Integrations

**Analysis Date:** 2026-05-21

## APIs & External Services

**Bigscreen internal APIs (primary backend):**
- Bigscreen Auth/Main API — Account, auth, region/currency info, orders, scans, ticket/refund flows
  - Base URL: `REACT_APP_API_SERVER_URL` (env-driven, e.g. `https://dev-fire-api.bigscreencloud.com` in `cloud-browser-static/src/api/config.js`)
  - SDK/Client: Custom `BigApi` class in `src/api.js` built on `superagent`
  - Auth header: `Authorization: Bearer ${REACT_APP_API_KEY}` plus `x-access-token` / `x-refresh-token`
  - Notable endpoints called from this repo:
    - `/auth/login`, `/auth/account`, `/auth/logout`, `/auth/verify`, `/auth/renew`, `/auth/whoami`, `/auth/resend`
    - `/auth/token/login/:t`, `/auth/token2/login/:t`
    - `/auth/email/verify/:t`, `/auth/email/update/:t`, `/auth/reset/:t`, `/auth/forgot`
    - `/auth/account` (POST for signup)
    - `/info/region`, `/info/currency`
    - `/beyond/multipass` (Shopify multipass URL fetch in `src/components/BuilderIoPage/index.js`, `src/screens/Account/AccountHeader/index.js`)
    - `/beyond/orders`, `/beyond/order/:id`, `/beyond/order/:id/ipd` (BigOrder pages in `src/bigOrders/`)
    - `/beyond/scans`, `/beyond/scan/:token/process` (Scan flow in `src/scans/`)
    - `/media/order` (Stripe order submission in `src/screens/Purchase/Payment/index.js`)
- Bigscreen Cloud API
  - Base URL: `REACT_APP_CLOUD_API_URL`
  - SDK/Client: `BigApi.cloudApiGet/Post/Put/Delete` in `src/api.js`
  - Used by: `src/screens/SocialBrowser.js` → `GET /apps/browser/:activityId` and `cloud-browser-static/src/browser.js`
- Bigscreen RDC (Remote Desktop Config)
  - Base URL: `REACT_APP_RDC_SERVER_HOST`
  - Client: `BigApi.getRdcUrl()` in `src/api.js` calling `/config`
  - Consumer: `src/App.js` (`Desktop` screen at `/remotedesktop`)

**Builder.io (Headless CMS):**
- SDK: `@builder.io/react` + `@builder.io/widgets`
- API key (hardcoded): `64dd5478e25746bf9db3b6c0319905f6` in `src/index.js`
- Rendering: `src/components/BuilderIoPage/index.js` uses `<BuilderComponent>` with userAttributes `{ urlPath, locale }`
- Path routing: regex filter in `src/App.js` (`builderIoFilter`) hands `/`, `/software`, `/about`, `/displays`, `/experiences`, `/eyetracking`, `/giveaway`, `/create`, `/affiliate`, legal pages, etc. to Builder.io models `nspages` / `pages`

**Hyperbeam (Cloud browser):**
- SDK: `@hyperbeam/web` ^0.0.37
- Direct usage: `src/screens/SocialBrowser.js` and `cloud-browser-static/src/browser.js`
- Session retrieval: `GET /apps/browser/:activityId` from Bigscreen Cloud API supplies `embedUrl`, `options`, `adminToken`

**Stripe (Payments):**
- SDK: `@stripe/stripe-js` + `@stripe/react-stripe-js`
- Integration file: `src/screens/Purchase/Payment/CardForm/index.js` (uses `loadStripe`, `<Elements>`, `CardNumberElement`, `CardExpiryElement`, `CardCvcElement`, `useStripe().createToken`)
- Publishable keys are hardcoded:
  - `STRIPE_LIVE_PUBLIC_KEY` used when `window.location.hostname === "www.bigscreenvr.com"` or starts with `main-`
  - `STRIPE_TEST_PUBLIC_KEY` otherwise
- Token submission: tokenized card sent to backend via `POST /media/order` (`src/screens/Purchase/Payment/index.js`)
- Receipt rendering: `src/screens/Account/Ticket/index.js` reads `receipt.stripePaymentResult.{currency,amount}`

**Shopify (storefront + checkout):**
- Storefront link target: `https://store.bigscreenvr.com/` (multipass redirect via `/beyond/multipass`)
- Multipass redirect calls: `src/components/BuilderIoPage/index.js`, `src/screens/Account/AccountHeader/index.js`
- Admin tooling lives in `ipynb_shopify/`:
  - `001.checkoutCustomization.ipynb` — Shopify Admin GraphQL (`https://bigscreenvr.myshopify.com/admin/api/2025-01/graphql.json`) for checkout branding (fonts, colors, customizations) using `X-Shopify-Access-Token`
  - `002.klaviyoFunctions.ipynb` — Klaviyo email/segment automation (see below)
  - `api.py` — Reusable Bigscreen API client used by the notebooks

**Klaviyo (email marketing):**
- Referenced in `ipynb_shopify/002.klaviyoFunctions.ipynb`
- Not invoked from the React frontend

**Google Fonts:**
- `public/index.html` and `public/beyondIndex.html` preconnect to `https://fonts.gstatic.com` and link `https://fonts.googleapis.com/css2?family=Poppins:wght@400;500;600;700&display=swap`
- Self-hosted `SFProDisplay-Bold` referenced in inline `<style>`

## Data Storage

**Databases:**
- None accessed directly from this codebase — all persistence happens through the Bigscreen APIs above

**File Storage:**
- `cloud-browser-static/dist/` is designed to be uploaded to S3 + CloudFront (per `cloud-browser-static/README.md`); the upload is performed outside this repo
- Static images, fonts and SVGs served from `public/`

**Caching:**
- Browser-side: cookies (`x-access-token`, `x-refresh-token`, `retry_token`) managed by `BigApi.setCookie/getCookie/deleteCookie` in `src/api.js`
- localStorage fallback for tokens when `BigApi.USE_COOKIES_FOR_TOKENS === false` (currently `true`)
- `localStorage` key `darkMode` set inline in `public/index.html` boot script

## Authentication & Identity

**Auth Provider:**
- Custom Bigscreen authentication (no third-party identity provider)
- Implementation: `src/api.js` — `BigApi.login`, `BigApi.loginWithToken`, `BigApi.loginWithToken2`, `BigApi.createAccount`, `BigApi.logout`, `BigApi.checkAccessTokenStatus`, `BigApi.renewAccessToken`
- Token pair: short-lived `x-access-token` and long-lived `x-refresh-token` (14-day cookie expiry)
- Renewal flow: 401 + `x-bigscreen-nonce` header → `GET /auth/renew` with refresh token + base64 `x-bigscreen-system-info`
- Single-use login tokens: `/token/login/:token` and `/token2/login/:token` routes (`src/screens/Api/ApiPages.js`)
- Shopify Multipass: server-issued URL fetched from `/beyond/multipass`, used to single-sign-on into `store.bigscreenvr.com`

## Monitoring & Observability

**Error Tracking:**
- None detected (no Sentry, Datadog, Bugsnag, Rollbar, or similar SDKs)
- Errors surface via `console.error` / `console.warn` and `BigApiError.getApiError` in `src/api.js`

**Logs:**
- Browser `console.*` only; no structured logging or remote sink

**Analytics & marketing pixels (loaded from `public/index.html` and via `react-ga` in `src/App.js`/`src/BeyondApp.js`):**
- Google Analytics (Universal Analytics) — `ReactGA.initialize('UA-154139246-1')` (UA properties were sunset by Google in mid-2023; tag remains in code)
- Google AdSense — `pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-1838810760934258`
- Reddit Pixel — `rdt('init','a2_fj1069bely5e')`, `rdt('track','PageVisit')`
- Twitter conversion pixel — `static.ads-twitter.com/uwt.js`, `twq('config','ond1m')`
- Meta (Facebook) Pixel — `connect.facebook.net/en_US/fbevents.js`, `fbq('init','9362178413841771')`, `fbq('track','PageView')`, plus `<noscript>` fallback image
- Facebook OG / Twitter Card meta tags (`fb:admins=132951670226590`, `@BigscreenVR`)

## CI/CD & Deployment

**Hosting:**
- Static React build (CRA `react-scripts build`) — hosting platform not declared in repo (no `vercel.json`, `netlify.toml`, `now.json`, `firebase.json`, `serverless.yml`, Dockerfile, or Procfile detected)
- `cloud-browser-static/dist/` is intended for S3 + CloudFront distribution

**CI Pipeline:**
- None detected in this repo (`.github/`, `.circleci/`, `.gitlab-ci.yml`, `azure-pipelines.yml`, etc. absent)
- Manual workflow: `yarn install` → `yarn build` (per `README.md`)

## Environment Configuration

**Required env vars (root React app, all baked into the bundle at build time):**
- `REACT_APP_API_SERVER_URL`
- `REACT_APP_CLOUD_API_URL`
- `REACT_APP_API_KEY`
- `REACT_APP_RDC_SERVER_HOST`

**Notebook env vars (read by `ipynb_shopify/api.py` via `dotenv_values`):**
- `BIGSCREEN_API_URL`, `BIGSCREEN_EYETRACKING_API_URL`, `BIGSCREEN_ADMIN_API_URL`, `BIGSCREEN_CLOUD_API_URL`, `BIGSCREEN_WSS_URL`
- `BIGSCREEN_API_KEY`, `BIGSCREEN_EYETRACKING_API_KEY`
- `ADMIN_ACCOUNT_EMAIL`, `ADMIN_ACCOUNT_PASSWORD`
- Notebooks also reference `SHOPIFY_TOKEN` in `.env`

**Secrets location:**
- `.env` (gitignored) in repo root, per `README.md` copied from `Server_Keys/local/webapps/website`
- Notebooks load `../.env`
- Several secrets are nevertheless hardcoded in source (see CONCERNS-worthy notes): Builder.io key in `src/index.js`, Stripe publishable keys in `src/screens/Purchase/Payment/CardForm/index.js`, dev API key in `cloud-browser-static/src/api/config.js`, Shopify admin token in `ipynb_shopify/001.checkoutCustomization.ipynb`

## Webhooks & Callbacks

**Incoming (handled by React routes that consume backend-issued tokens):**
- `/email_verify`, `/email_verify_failed`, `/email_update`, `/email_update_failed` — outcome pages (`src/screens/OutcomeReport`)
- `/email/verify/:token`, `/email/update/:token` — pass token to backend then redirect (`src/screens/Api/ApiPages.js`)
- `/account/reset/:token`, `/reset/:token` — password reset (`src/screens/Access`)
- `/token/login/:token`, `/token2/login/:token` — single-use login redemption
- `/token/purchase/:bigMediaId` — purchase token generation
- `/scans/start`, `/scan/:tpy_token/process` — face scan workflow callbacks (`src/scans/`)
- `/bset/pushtoken/:etToken` — eye-tracking client deeplink (`src/screens/Access/EtClient`)
- `/browser/:activityId` — in-app Hyperbeam launch (`src/screens/SocialBrowser.js`)

**Outgoing:**
- None — the frontend never originates webhook deliveries; all third-party calls go through the Bigscreen backend

---

*Integration audit: 2026-05-21*