Visitor Transparency Endpoint

Fusionaly ships a small JSON endpoint you can expose to end users so they can see exactly what the platform knows about their current session. It is designed for transparency overlays or privacy dashboards—not an admin API—and gives visitors a zero-effort way to verify the tracking footprint.

Endpoint

GET /x/api/v1/me

The handler responds with an anonymised fingerprint and the most recent events we have recorded for the visitor:

{
  "country": "es",
  "events": [
    { "timestamp": "2025-11-04T18:57:50.976Z", "url": "fusionaly.com/", "eventType": 2, "customEventKey": "scroll:section:about" },
    { "timestamp": "2025-11-04T18:57:50.964Z", "url": "fusionaly.com/", "eventType": 1 },
    { "timestamp": "2025-11-04T18:46:18.864Z", "url": "fusionaly.com/", "eventType": 2, "customEventKey": "scroll:section:about" },
    { "timestamp": "2025-11-04T18:46:18.773Z", "url": "fusionaly.com/", "eventType": 2, "customEventKey": "scroll:section:pricing" }
  ],
  "generatedAt": "2025-11-04T19:11:30Z",
  "visitorAlias": "Swift Sheep",
  "visitorId": "69323ea6c0a1a14682fb1ff13e075f1cce8fdfe6bc2407ed9271265468b926d3"
}

• visitorId is the exact hash stored with events.
• visitorAlias is the anonymised adjective/animal name shown in the dashboard.
• events contains up to the 25 most recent events (both processed and queued). eventType uses the same constants as the SDK (1 = page view, 2 = custom event).
• country uses the two-letter ISO code when GeoIP is configured; otherwise it is __unknown_country__.

When no history exists, events is simply an empty array.

Selecting the website

The visitor hash includes the tracked domain, so we resolve it in this order:

1. w query parameter (explicit override)
2. url query parameter (?url=https://app.example.com/dashboard)
3. Request host header (default when called directly from a tracked domain)

Example calls:

// Same host as the tracked site
fetch("/x/api/v1/me");

// Admin host pointing at a production site
fetch("/x/api/v1/me?w=example.com");

// Explicit URL context
fetch("/x/api/v1/me?url=https://app.example.com/dashboard");

If the domain has not been configured in Fusionaly yet, the API still returns 200 with the fingerprint and an empty events array. You can show this to users as “no events recorded yet.”

Privacy guarantees

Visitor identifiers rotate automatically once per day—every day at 00:00 UTC a new salt is used to derive the fingerprint. That means the transparency payload only ever contains interactions collected since the most recent rotation (roughly the last 24 hours) so long-term cross-day tracking is avoided by default.