Install the Tag
Integration guide for developers
ClickLens runs from a single script tag. It collects browser signals, scores each
session, and never blocks rendering or touches your page's own behaviour. The tag is
about 13 KB gzipped and loads with defer,
so it never delays your content.
The dashboard generates a copy-paste snippet for each site with your site key and the current integrity hash already filled in (Settings → Site Settings, or the onboarding install step). This guide explains every part of that snippet so you can adapt it to a tag manager, a CMS, or a server-rendered template.
The snippet
Paste this just before the closing </head>
tag on every page that receives paid traffic, including your landing pages and your
thank-you or confirmation pages.
<script
defer
src="https://app.clicklens.io/t.js"
integrity="sha384-..."
crossorigin="anonymous"
data-site="YOUR_SITE_KEY"
data-cl-token="YOUR_BEACON_TOKEN"
data-endpoint="https://app.clicklens.io/api/v1/beacon"
></script>
Copy the exact integrity
value from the dashboard snippet. The hash changes every time the tag is rebuilt, so a
value pasted from this page would fail Subresource Integrity and the browser would refuse
to run the tag.
Attributes
| Attribute | Required | Purpose |
|---|---|---|
src | Yes | The tag URL, https://app.clicklens.io/t.js. |
defer | Recommended | Loads the tag without blocking page render. It runs after the document parses. |
integrity + crossorigin="anonymous" | Recommended | Subresource Integrity. The browser runs the tag only if its bytes match the hash, so a compromised CDN cannot swap in different code. Copy the current hash from the dashboard. |
data-site | Yes | Your site key. Identifies which site the beacons belong to. It is public and grants no dashboard access. |
data-cl-token | Recommended | The per-site beacon signing token. The tag signs each beacon with it (HMAC-SHA256) so a forged or replayed beacon is flagged. If omitted, beacons are sent unsigned and flagged server-side, never rejected. |
data-endpoint | Optional | Where beacons are sent. If omitted, the tag derives it from its own src origin, which is correct for the standard install. |
data-cl-auto-convert | Optional | Set to "true" to fire a conversion on every form submit. Off by default. Only safe when every form on the page is a genuine conversion — see the conversion tracking guide. |
Configuring without data attributes
A tag manager or a programmatic injection cannot always set attributes on the script
element. Define window.__clicklens
before the tag loads and it reads its config from there instead.
<script>
window.__clicklens = {
siteId: 'YOUR_SITE_KEY',
token: 'YOUR_BEACON_TOKEN',
endpoint: 'https://app.clicklens.io/api/v1/beacon',
autoConversion: false,
};
</script>
<script defer src="https://app.clicklens.io/t.js"></script>
A data attribute wins over the global config when both are present. The Google Tag Manager
template sets window.__clicklens
for you; see the GTM guide.
Consent and privacy controls
The tag honors visitor opt-out signals. When any of the signals below is present it stops collecting device-fingerprint surfaces — the canvas and WebGL hashes, the audio hash, and font and voice enumeration. The session beacon still fires: behavioural events and the automation checks that detect bots are unaffected, because fraud detection is a legitimate-interest function rather than cross-site tracking. Passive properties the browser sends on every request anyway (user agent, language, screen size) are unchanged.
| Signal | Source |
|---|---|
navigator.globalPrivacyControl === true | Global Privacy Control, set by the browser or a privacy extension. The current opt-out standard. |
window.__clicklens_consent === false | Explicit hook for your consent manager. Only an exact false opts out; unset or any other value counts as consent. |
navigator.doNotTrack === "1" | Legacy Do Not Track. Also matches the value "yes" and the older window.doNotTrack. |
To wire a consent manager, set window.__clicklens_consent
before the tag script runs:
<script>
// false until your CMP confirms the visitor has consented to fingerprinting
window.__clicklens_consent = false;
</script>
<script defer src="https://app.clicklens.io/t.js"></script>
The tag reads consent once, when it collects signals on load. Set the value before the tag
script executes. Changing it after the tag has fired does not retroactively suppress the
first beacon. To withhold all collection until the visitor decides, load
t.js only after your
consent banner returns a decision. With an opt-out active the beacon still appears in the
Network tab and returns 204;
the fingerprint fields are dropped before it is sent.
What happens after install
-
On the first page view the tag creates a session id and stores it in
sessionStorage, so the same browser tab keeps one session across page navigations. - It collects immediate signals (canvas and WebGL fingerprint, hardware and locale markers, automation tells) and tracks behavioural events — pointer movement, scrolling, keystroke cadence — in the page. The fingerprint surfaces are skipped for visitors who have opted out (see Consent and privacy controls).
- It sends an initial beacon a few seconds after load and a final beacon when the page is hidden or unloaded, signed with your beacon token. The scoring engine classifies the session as human, suspect, or bot.
- The session appears in your dashboard. Nothing on your page changes: the tag never blocks, redirects, or alters a visitor's experience.
Verify the install
- Open your site in a normal browser tab so the tag fires a real session.
- In the dashboard, the onboarding install step shows “Tag is working” with a session count within a minute. New sessions also appear on your dashboard's sessions list.
-
In your browser's developer tools, the Network tab shows a request to
/api/v1/beaconreturning204.
No sessions after a minute? Check these in order:
- The tag is on the domain you registered in ClickLens, not a staging or preview host.
- An ad blocker or privacy extension is not blocking the request. Test in a private window with extensions off.
- The snippet sits before the closing
</head>tag and the page actually loads it. -
The browser console shows no Subresource Integrity error. If it does, the
integrityhash is stale — recopy the snippet from the dashboard.
Next steps
- Report sales and signups so the engine scores the conversion, not only the click: conversion tracking.
- Understand what the tag collects and our privacy posture: tag security.
- Platform-specific installs: WordPress, Shopify, Google Tag Manager, WooCommerce.