Tiquo
Account SetupOrganization SettingsThemesSubscription & FeesWhat is a Sublocation?Import & Export DataCustom Domains
HomeOrdersOrder ItemsBookingsEnquiriesProductsAnalyticsContentCRMIntegrationsLocationsMarketingMobile AppsOperationsPaymentsSettingsCloak RoomTable & Pick Up QR TagsShortcutsSharingTeamDigital Access Control & Door Management
Devices OverviewWeb ApplicationmacOS AppStaff iOS appAndroid AppPDQ TerminalsAccessories
API IntroductionAPI AuthenticationAdmin APIClient APIDOM PackageHosted PackageOAuth / OIDCTracking Pixel
Security & Compliance OverviewInfrastructure & Platform SecurityIdentity & Access ManagementPayments SecurityThreat Detection & MonitoringData Protection & ComplianceSupported Regions
API and AuthenticationHosted Package

Consent and security

Understand consent modes, domain restrictions, and security behavior for the Tiquo Hosted Package

Consent and security

The Hosted Package supports three consent modes.

anonymous

data-tiquo-consent="anonymous"

Anonymous consent allows website analytics without linking events to a known customer identity.

This mode can track page views, sessions, attribution, engagement, device data, and custom anonymous events.

full

window.Tiquo.setConsent("full");

Full consent allows analytics and known-customer linking. When a customer signs in, Tiquo can connect website activity to that customer record.

Use this after your consent banner or privacy flow has permission to link activity to an identifiable customer.

none

window.Tiquo.setConsent("none");

No analytics events are sent while consent is none.

Use anonymous in the script tag:

<script
  src="https://app.tiquo.app/tiquo/v1/tiquo.js"
  data-tiquo-public-key="pk_dom_your_public_key"
  data-tiquo-consent="anonymous"
  async
></script>

Then call setConsent("full") only after the visitor has accepted the level of tracking your privacy policy requires.

Domain protection

Tiquo checks the request origin against the domains configured for your Auth DOM public key.

Requests from unconfigured websites are rejected. This prevents another website from copying your public key and using it from an unapproved domain.

Public key safety

The Auth DOM public key is safe to expose in browser code. It identifies the Tiquo organization and allowed website configuration, but it is not a secret.

Never put private API keys, admin API keys, or server secrets in the hosted script or website-builder custom code.

Token handling

The Hosted Package manages customer session tokens internally so it can call customer APIs after login. It does not expose raw token getter methods on window.Tiquo.

Because the script runs in the browser, any third-party scripts on the same page should be treated as part of your website security boundary.

Content rendering safety

Customer, order, and booking fields are rendered as text content by default.

When a field is rendered into an anchor element, the Hosted Package only allows safe link protocols such as https, http, mailto, tel, and relative URLs.

Data attributes and JavaScript API

Use HTML attributes or JavaScript methods to add Tiquo login, customer fields, orders, bookings, and analytics events

Customer Authentication

Use Tiquo as an OAuth 2.0 Authorization Server and OpenID Connect Provider

En esta página

Consent and securityConsent modesanonymousfullnoneRecommended defaultDomain protectionPublic key safetyToken handlingContent rendering safety