Docs · SDK supply chain
SDK versions + SRI.
The Irv browser SDK ships two paths per version: /i.js (always-latest, auto-upgrades) and /v<version>/i.js (immutable, safe to pin with Subresource Integrity). Pinning means the browser refuses to run the script if any byte changes — so a compromise of our deploy can't turn into arbitrary-code-execution on your customers.
Pinned install (recommended for production)
Paste this exact snippet, replacing pk_live_xxxwith your project key. When we publish a new SDK version you'll need to bump the URL + hash to receive new features — but a compromised deploy in the meantime can't hurt your site.
<script src="https://irv.dev/v0.3.0/i.js?p=pk_live_xxx"
integrity="sha384-esuH6/0124SIvcE6SCKbzTAHvZzSkCp+gJP5XIGdX5XSJAN+90J+X55nuFmDohx7"
crossorigin="anonymous"></script>Built 5/14/2026, 8:25:03 AM · pinned to v0.3.0 · 34,008 bytes
Latest install (auto-upgrades)
If you want each new SDK feature to land without a customer-side change, point at /i.jsinstead. No SRI is possible because the bytes change on every publish — you're trusting that we don't ship anything bad.
<script src="https://irv.dev/i.js?p=pk_live_xxx"></script>
This is the default snippet shown in the dashboard and onboarding wizard.
All published versions
Every version published. The JSON shape is at /sdk-versions.json for programmatic access — useful if your CI wants to keep the SRI hash up to date automatically.
| Version | Built | Size | Integrity (sha384) |
|---|---|---|---|
| v0.3.0latest | 5/14/2026 | 34,008 b | sha384-esuH6/0124SIvcE6SCKbzTAHvZzSkCp+gJP5XIGdX5XSJAN+90J+X55nuFmDohx7 |
npm-package users
@irv/web on npm ships the ESM bundle. The corresponding immutable URL + integrity hash for the ESM build of the latest version is:
integrity="sha384-7Y0s7d5sTakpoL5VGZucMNofEE33IVVejN+EDNVkvchGb4SmQJP/L7h/0ejNDaSk" src="https://irv.dev/v0.3.0/irv.js"
If you're bundling via Vite / webpack / Next.js, your bundler already hashes the output — SRI on a CDN script tag isn't needed.