// Getting started
Install Rebase
Paste one script tag, claim your site, invite the team — from zero to first ticket in minutes.
Add the script tag
Paste this once, just before </body>, on every page where the widget should be available:
<!-- keyless — your domain identifies your project -->
<script defer src="https://cdn.rebase.dev/loader.min.js"></script>That's the whole install. There is no API key to manage, rotate or leak — your domain identifies your project, and access is enforced by domain ownership and per-user sign-in.
The widget never blocks your page: a ~1 KB gzipped loader runs first and only pulls the main bundle (~20 KB gzipped) once your site is set up. Uninvolved sites and unsupported origins load almost nothing.
Framework placement
The embed is the same one line everywhere — only where you put it differs.
Next.js — use next/script so the attributes are preserved:
import Script from "next/script";
export default function RootLayout({ children }) {
return (
<html>
<body>
{children}
<Script
src="https://cdn.rebase.dev/loader.min.js"
strategy="afterInteractive"
/>
</body>
</html>
);
}Nuxt — add it to app.head in your config:
export default defineNuxtConfig({
app: {
head: {
script: [{ defer: true, src: "https://cdn.rebase.dev/loader.min.js" }],
},
},
});Single-page apps need the snippet only once — the widget tracks client-side navigation on its own.
Claim your site
Setup happens on your own website — there is deliberately no admin dashboard to learn. With the tag in place, open your site and click the Rebase toolbar. The wizard walks you through five steps:
- Enter your email. Sign-in is passwordless — you'll get a 6-character code.
- Verify your domain. Add the one-line
<meta>tag the wizard shows you. Rebase polls, verifies, and keeps rechecking in the background. - Pick a handle. Your public @username across Rebase.
- Choose your use case. So the defaults fit how you work.
- Start the trial. Checkout runs through Stripe and returns you to your own site — the widget picks the session back up ("Finishing setup…"), reload-proof.
Every step is resumable: the email you receive contains a link that reopens the wizard exactly where you left off — after a reload, or on another day.
Invite your team
Open Settings → Team in the widget and invite by email. You choose each person's role at invite time — owner, team, commenter or viewer — and can change it any time. Invite links are signed credentials: one click signs the teammate in and activates them, no code round-trip.
See Teams, roles & notifications for what each role can do.
Configuration
All configuration is read from data-* attributes on the script tag:
| Attribute | Default | What it does |
|---|---|---|
data-user | — | A stable identifier (email or ID) for the current user, if you have one — prefills sign-in. |
data-mask | — | Extra CSS selectors to redact from captures, comma-separated. |
data-capture-bodies | false | Set true to also capture request bodies for fetch and XHR. Response bodies are never captured. |
<script
defer
src="https://cdn.rebase.dev/loader.min.js"
data-user="[email protected]"
data-mask=".invoice-total, [data-account-number]"
></script>Per-element controls (data-rebase-mask, data-rebase-block, data-rebase-unmask) and source-attribution hints (data-rb-source, data-rb-component) live on your own markup — see What gets captured and Source attribution.
Content-Security-Policy
If your site sends a strict CSP, allow the widget's two origins:
script-src https://cdn.rebase.dev;
connect-src https://api.rebase.dev;
img-src data:;The widget renders entirely inside a Shadow DOM host, so it never touches your page's styles and needs no style-src exception.
Screenshot capture renders your page to a canvas and inherits your page's own img-src and font-src — cross-origin images your CSP blocks simply come out blank, and img-src data: is needed for the captured preview. If capture is fully blocked, the widget retries once and then sends the report without a screenshot — element, console and network context still arrive.
Troubleshooting
| Symptom | Likely cause / fix |
|---|---|
| No toolbar appears at all | The site isn't set up for this domain yet — run the claim wizard — or the origin isn't public HTTPS. |
| Console says blocked by Content-Security-Policy | Add cdn.rebase.dev to script-src and api.rebase.dev to connect-src. |
| Sign-in code never arrives | The email isn't an invited member, or it's in spam. An owner can re-send the invite from Settings. |
| Members can file tickets but can't resolve them | Expected — only owner and team roles can resolve. |
| Sign-in drops after a reload | localStorage is blocked (private mode or storage partitioning), so the session can't persist. |
| Screenshots come out blank or partial | Cross-origin images blocked by your CSP/CORS during canvas capture — the report still sends. |
| Reports fail on a flaky connection | The widget holds the draft and auto-retries when the browser comes back online. |
Locked out?
Ownership recovery uses the same domain proof as setup: verify the meta tag, then a 3-day window opens during which the current owner is notified and can dispute with one click. If nobody disputes, ownership transfers.