SDK

Security

Keep Partner Keys Server-Side

Your LookLoot partner key must stay on your backend. Desktop apps and browser bundles can be inspected by users, so they should only receive short-lived device tokens.

Use this flow:

  1. User signs in to your app.
  2. Your desktop app calls your backend.
  3. Your backend forwards the registered appId, optional appVersion, and user/device context to LookLoot with LOOKLOOT_PARTNER_KEY.
  4. Your backend returns only the device token to the app.
  5. The app passes that token to the SDK through getDeviceToken.

The partner token endpoint returns:

{
  token: string;
  deviceId: string;
  partnerEndUserId: string;
  externalUserId: string;
  app: {
    id: string;
    slug: string;
    name: string;
    version: string | null;
  };
}

Only token should be passed into the SDK. Treat the other fields as optional metadata for server logs or your own authenticated device-management UI. app.slug confirms the registered source app that the minted token is scoped to.

Public SDK Surface

The public SDK exposes:

  • LookLootCapture
  • setup options
  • "idle" / "active" state
  • lifecycle methods
  • runtime diagnostics for local packaged assets

It does not expose raw capture payloads, low-level transport objects, or internal data contracts as public API.

Published Package Contents

The npm package should contain only:

  • dist/index.js
  • dist/index.d.ts
  • dist/recorder-window.html
  • dist/audio-helper/windows-loopback-audio.ps1
  • dist/input-helper/lookloot-input-helper.exe
  • scripts/prepare-obs-runtime.mjs
  • README.md
  • package.json

dist/index.js bundles the private runtime and contracts, then is minified and string-obfuscated during the SDK build. Source files and source maps should not be published.

The full OBS Studio portable runtime is not embedded in the npm package. It is downloaded or prepared by the partner build and redistributed as a separate Electron resource in the desktop installer.