Errova supports two DSN key types with different trust models. Pick the key type based on where the code runs, not on convenience.
browser_public
- Designed for frontend and browser-delivered events.
- No signature headers are required.
- Protect the key with allowed origins and origin enforcement modes.
server_signed (recommended for backend)
- Designed for backend services, workers, scripts, and private relays.
- Requires
X-Errova-Timestamp,X-Errova-Nonce, andX-Errova-Signatureon each request. - The signature is HMAC-SHA256 over timestamp, nonce, public key, and the SHA256 hash of the raw request body.
- The server rejects replayed nonces and timestamps that fall outside the allowed window.
Origin Enforcement Modes
off: no origin checksreport_only: logs mismatches without blocking requests (recommended for rollout)enforce: rejects requests from origins that are not explicitly allowed
Allowed Origin Rules
- Origins must be exact scheme + host + optional port.
- Do not include paths, query parameters, or fragments.
- For local testing, include every localhost variant you actually use.
- Validate in
report_onlyfirst, then switch toenforce.
Rotation Checklist
- Create replacement credentials before touching the live key.
- Deploy the new secret everywhere it is needed.
- Verify events are arriving under the replacement key.
- Revoke the old key only after traffic is cleanly cut over.