Embed the KSM™ Widget
Quick start
Drop this snippet anywhere on your site. The widget auto-mounts an iframe of the KSM™ audit form, respects your host layout, and opens the full report in a new tab on completion.
<div id="ksm-widget"></div> <script src="https://ksm-model.lovable.app/widget.js" data-source="museplatforms.com" data-token="<HMAC-SIGNED-TOKEN>" data-theme="light" data-redirect="full" async ></script>
Attributes
| Attribute | Values | Purpose |
|---|---|---|
data-target | CSS selector | Where to mount. Default #ksm-widget, or auto-mounts next to the script tag. |
data-source | string ≤ 120 | Attribution stored with the lead (e.g. museplatforms.com). |
data-token | HMAC token | Optional. Verifies source is authentic — see below. |
data-theme | light | dark | Match your host site's palette. Default light. |
data-redirect | full | inline | full opens the report in a new tab; inline replaces the iframe with the report. |
Signed embeds (anti-spoofing)
The data-source attribute is public — anyone can copy it. To prove a lead really came from your site, sign it once server-side with your shared secret and pass the token via data-token. We verify HMAC-SHA256 and mark the lead source_verified=true. Contact us for your KSM_EMBED_SECRET.
# Mint a token for a partner domain (server-side, one-time): KSM_EMBED_SECRET=... bun scripts/sign-embed-token.ts museplatforms.com 365 # → paste the printed token into data-token=""
Tokens are base64url(payload).base64url(hmac), wherepayload = { source, exp } (exp = unix seconds). Rotate by re-signing.
Analytics events
The widget dispatches these events on the host page in three ways: CustomEvent on window, gtag('event', …) if GA4 is present, and dataLayer.push for GTM.
| Event | Detail |
|---|---|
ksm:ready | {} |
ksm:submitted | { company, url } |
ksm:completed | { scanId, overall, grade, source } |
ksm:error | { message } |
GA4
<!-- After your GA4 gtag.js loads -->
<script>
window.addEventListener('ksm:completed', function (e) {
gtag('event', 'ksm_completed', e.detail);
});
</script>Google Tag Manager
// GTM Custom Event trigger names to listen for: // ksm_ready · ksm_submitted · ksm_completed · ksm_error // The widget pushes to dataLayer automatically — no extra code needed.
Live preview
The form below is the same iframe your visitors will see.
Manual mounting
The script exposes window.KSMWidget if you need to mount programmatically:
KSMWidget.mount({
target: '#custom-container',
source: 'museplatforms.com',
token: '<HMAC>',
theme: 'light',
redirect: 'full',
});