← Back to Lite scan
For Partners

Embed the KSM™ Widget

Quick start

Drop this snippet anywhere on your site. The widget auto-mounts an iframe of the KSM™ audit form, respects your host layout, and opens the full report in a new tab on completion.

<div id="ksm-widget"></div>
<script
  src="https://ksm-model.lovable.app/widget.js"
  data-source="museplatforms.com"
  data-token="<HMAC-SIGNED-TOKEN>"
  data-theme="light"
  data-redirect="full"
  async
></script>

Attributes

AttributeValuesPurpose
data-targetCSS selectorWhere to mount. Default #ksm-widget, or auto-mounts next to the script tag.
data-sourcestring ≤ 120Attribution stored with the lead (e.g. museplatforms.com).
data-tokenHMAC tokenOptional. Verifies source is authentic — see below.
data-themelight | darkMatch your host site's palette. Default light.
data-redirectfull | inlinefull opens the report in a new tab; inline replaces the iframe with the report.

Signed embeds (anti-spoofing)

The data-source attribute is public — anyone can copy it. To prove a lead really came from your site, sign it once server-side with your shared secret and pass the token via data-token. We verify HMAC-SHA256 and mark the lead source_verified=true. Contact us for your KSM_EMBED_SECRET.

# Mint a token for a partner domain (server-side, one-time):
KSM_EMBED_SECRET=... bun scripts/sign-embed-token.ts museplatforms.com 365
# → paste the printed token into data-token=""

Tokens are base64url(payload).base64url(hmac), wherepayload = { source, exp } (exp = unix seconds). Rotate by re-signing.

Analytics events

The widget dispatches these events on the host page in three ways: CustomEvent on window, gtag('event', …) if GA4 is present, and dataLayer.push for GTM.

EventDetail
ksm:ready{}
ksm:submitted{ company, url }
ksm:completed{ scanId, overall, grade, source }
ksm:error{ message }

GA4

<!-- After your GA4 gtag.js loads -->
<script>
  window.addEventListener('ksm:completed', function (e) {
    gtag('event', 'ksm_completed', e.detail);
  });
</script>

Google Tag Manager

// GTM Custom Event trigger names to listen for:
//   ksm_ready · ksm_submitted · ksm_completed · ksm_error
// The widget pushes to dataLayer automatically — no extra code needed.

Live preview

The form below is the same iframe your visitors will see.

Manual mounting

The script exposes window.KSMWidget if you need to mount programmatically:

KSMWidget.mount({
  target: '#custom-container',
  source: 'museplatforms.com',
  token: '<HMAC>',
  theme: 'light',
  redirect: 'full',
});