Get started

// Getting started

Install Rebase

Paste one script tag, claim your site, invite the team — from zero to first ticket in minutes.

Add the script tag

Paste this once, just before </body>, on every page where the widget should be available:

index.html
<!-- keyless — your domain identifies your project -->
<script defer src="https://cdn.rebase.dev/loader.min.js"></script>

That's the whole install. There is no API key to manage, rotate or leak — your domain identifies your project, and access is enforced by domain ownership and per-user sign-in.

The widget never blocks your page: a ~1 KB gzipped loader runs first and only pulls the main bundle (~20 KB gzipped) once your site is set up. Uninvolved sites and unsupported origins load almost nothing.

Framework placement

The embed is the same one line everywhere — only where you put it differs.

Next.js — use next/script so the attributes are preserved:

app/layout.tsx
import Script from "next/script";

export default function RootLayout({ children }) {
  return (
    <html>
      <body>
        {children}
        <Script
          src="https://cdn.rebase.dev/loader.min.js"
          strategy="afterInteractive"
        />
      </body>
    </html>
  );
}

Nuxt — add it to app.head in your config:

nuxt.config.ts
export default defineNuxtConfig({
  app: {
    head: {
      script: [{ defer: true, src: "https://cdn.rebase.dev/loader.min.js" }],
    },
  },
});

Single-page apps need the snippet only once — the widget tracks client-side navigation on its own.

Claim your site

Setup happens on your own website — there is deliberately no admin dashboard to learn. With the tag in place, open your site and click the Rebase toolbar. The wizard walks you through five steps:

  1. Enter your email. Sign-in is passwordless — you'll get a 6-character code.
  2. Verify your domain. Add the one-line <meta> tag the wizard shows you. Rebase polls, verifies, and keeps rechecking in the background.
  3. Pick a handle. Your public @username across Rebase.
  4. Choose your use case. So the defaults fit how you work.
  5. Start the trial. Checkout runs through Stripe and returns you to your own site — the widget picks the session back up ("Finishing setup…"), reload-proof.

Every step is resumable: the email you receive contains a link that reopens the wizard exactly where you left off — after a reload, or on another day.

Invite your team

Open Settings → Team in the widget and invite by email. You choose each person's role at invite time — owner, team, commenter or viewer — and can change it any time. Invite links are signed credentials: one click signs the teammate in and activates them, no code round-trip.

See Teams, roles & notifications for what each role can do.

Configuration

All configuration is read from data-* attributes on the script tag:

AttributeDefaultWhat it does
data-userA stable identifier (email or ID) for the current user, if you have one — prefills sign-in.
data-maskExtra CSS selectors to redact from captures, comma-separated.
data-capture-bodiesfalseSet true to also capture request bodies for fetch and XHR. Response bodies are never captured.
index.html
<script
  defer
  src="https://cdn.rebase.dev/loader.min.js"
  data-user="[email protected]"
  data-mask=".invoice-total, [data-account-number]"
></script>

Per-element controls (data-rebase-mask, data-rebase-block, data-rebase-unmask) and source-attribution hints (data-rb-source, data-rb-component) live on your own markup — see What gets captured and Source attribution.

Content-Security-Policy

If your site sends a strict CSP, allow the widget's two origins:

CSP additions
script-src  https://cdn.rebase.dev;
connect-src https://api.rebase.dev;
img-src     data:;

The widget renders entirely inside a Shadow DOM host, so it never touches your page's styles and needs no style-src exception.

Screenshot capture renders your page to a canvas and inherits your page's own img-src and font-src — cross-origin images your CSP blocks simply come out blank, and img-src data: is needed for the captured preview. If capture is fully blocked, the widget retries once and then sends the report without a screenshot — element, console and network context still arrive.

Troubleshooting

SymptomLikely cause / fix
No toolbar appears at allThe site isn't set up for this domain yet — run the claim wizard — or the origin isn't public HTTPS.
Console says blocked by Content-Security-PolicyAdd cdn.rebase.dev to script-src and api.rebase.dev to connect-src.
Sign-in code never arrivesThe email isn't an invited member, or it's in spam. An owner can re-send the invite from Settings.
Members can file tickets but can't resolve themExpected — only owner and team roles can resolve.
Sign-in drops after a reloadlocalStorage is blocked (private mode or storage partitioning), so the session can't persist.
Screenshots come out blank or partialCross-origin images blocked by your CSP/CORS during canvas capture — the report still sends.
Reports fail on a flaky connectionThe widget holds the draft and auto-retries when the browser comes back online.

Locked out?

Ownership recovery uses the same domain proof as setup: verify the meta tag, then a 3-day window opens during which the current owner is notified and can dispute with one click. If nobody disputes, ownership transfers.