You’re about to install Candu, a tool that lets your team create, manage, and publish in-app content without developers. This guide explains what’s involved, the decisions to make, and how to communicate requirements to engineering.
The install is quick. The decisions you make beforehand determine how far you can go with personalization and segmentation, but you can always add advanced configuration later.
Ready? Let's make sure you have everything you need before you begin!
Before you get started
Before you install Candu, discuss the following topics with your team. This will help you setup Candu for success from the start.
Plan your environments (e.g.,
app.example.com,staging.example.com)
Our recommendation is to start with one pre-production environment first to test, then add production once verified. You can add more environments later.
📌 Each environment can have its own Candu Workspace with separate settings and content. Learn more about Candu Workspaces.
Think about what data you'll need to achieve your content goals. Start with a couple of traits and send more later as needed.
Recommended user data to send:
userIDemailOptional:
role,plan,accountID, or any other user properties.
We recommend your team makes a list of properties and events to send (e.g., name, email, role, plan, signup date).
Common examples of personalization:
Display account-specific information (plan type, usage stats)
Show content based on user role (admin vs. regular user)
Target users who have/haven't completed an action
Greet users by name ("Welcome back, Sarah!")
Other key questions:
How do we want to identify users?
Unique
userID is ideal. Email is often sent as a secondary trait.Do we have dynamic or personalized URLs?
If URLs include IDs or tenant names (e.g.,
app.com/user/12345,tenant.app.com), you’ll need to send user data to target content reliably. Without user data, all users see identical content and targeting is URL/time-based only.Are we sending sensitive data?
What customer data is appropriate to send depends on your use case and compliance requirements. Candu can work completely anonymized, and we're SOC2 compliant with secure data handling.
If you're sending sensitive data (PII): Enable Identity Verification (signed identities) to prevent impersonation. Learn more about Enabling Identity Verification.
Install the Candu Snippet
Candu must be installed with the JavaScript snippet. This method supports all Candu features including personalization and segmentation. To get your Candu Script, navigate to Settings > Installation.
Select “Install Candu Code myself” or “Share with a teammate”
Copy the script
Add Candu’s script to your site's
<head>section (or as close as possible)
This code loads Candu's SDK (software development kit) into your site and identifies your account using your unique clientToken.
Unique clientToken
Each Candu installation script will have a unique clientToken. You can find the clientToken in Settings > Workspaces > Access Keys.
See Candu’s Developer Docs for more details.
Other Installation Methods
Guided installation for popular platforms that don’t require direct code access.
Navigate to Settings > Installation
Select “Install Candu Code myself”
Each platform has specific steps depending on how that platform handles custom code and setup varies by platform.
For more details on alternative installation options, click here.
Google Tag Manager (GTM) Installation
You can install Candu through your existing Google Tag Manager setup without modifying your site’s code directly. Ad blockers commonly block GTM, which means your Candu content may not appear for users with ad blockers enabled.
For mission-critical content, use standard JavaScript installation instead.
Whitelist Your Domains
This is a security feature that ensures Candu content only appears on websites you control.
Go to Settings > Workspaces in your Candu Dashboard
Find the "Whitelisted Domains" section
Add your domain(s) in this format:
https://www.yourdomain.com
Use wildcards for flexibility:
https://*.mysite.com→ Covers all subdomains (app.mysite.com, demo.mysite.com, etc.)
Add multiple domains if needed:
Development
Staging
Production
Content Security Policy (CSP)
If your app uses CSP, allowlist Candu hosts or the browser will block requests and log CSP violations in the Console.
CSP is a security feature that modern web applications use to prevent malicious code from running on their site. If your site has CSP rules, whitelist these Candu URLs:
https://api.candu.ai/
<https://cdn.candu.ai/>
<https://media.candulabs.com/
If these aren't whitelisted in your CSP, the browser will block them, and Candu won't load, content won't appear, and you'll see CORS violation errors in the browser console.
Send User Data to Candu
Getting more data into Candu via integrations is common. We support inbound and outbound connectors, and have a robust webhook framework to build your own.
Inbound:
Inbound Rest API
Hubspot
Rudderstack
Outbound:
Candu webhooks
Amplitude
HeapThere are three ways to do this:
See Candu’s Developer Docs for more details.
Identity Verification (Optional)
Enable signed identities if you pass PII or have strict compliance needs. This prevents bad actors from impersonating users and accessing their data.
You likely need it if:
You display variables with personal info
You send sensitive traits
Security/compliance requires request signing
Verify Installation
Time to make sure everything is working! You can see installation status in your Candu Dashboard under Settings > Installation. You can also:
Check with the Candu Chrome Extension
Install the Candu Chrome Extension
Navigate to a page where Candu is installed
Click the Candu extension icon
Click Page Status
If it shows SDK installed and SDK up to date in green, you're all set!
Note: Be sure to check the workspace matches your product's environment.
What's Next?
Now that your Candu snippet is live, you're ready to start creating. Learn more about:
Use snapshots to identify where on your site you'll embed Candu content.
The Chrome extension lets you place and preview content directly on your pages.
Align your content with your brand by defining colors, typography, and button styles in your Styleguide.
Additional resources for developers
Questions? Reach out to our support team at [email protected]. We're here to help!