Skip to main content
March 30, 2026
Auth - Apple Sign In via Apple JS SDK

Apple Sign In

Despia now supports Sign In with Apple using the Apple JS SDK across iOS, Android, and web, with platform-aware behaviour and full documentation.What ships today:
  • iOS native - native Face ID sheet. On iOS, the Apple JS SDK with usePopup: true opens the native Face ID / Apple ID sheet directly inside WKWebView. No oauth:// bridge is needed on iOS. The id_token is returned to your JavaScript callback with no page redirect, which avoids the blank white screen that causes App Store rejection when using a redirect-based flow.
  • Android native - oauth:// bridge. On Android, the oauth:// bridge opens Chrome Custom Tabs for the Apple OAuth flow. public/native-callback.html receives the id_token and code in the URL hash and fires the deeplink to close the tab. The oauth/ prefix in the deeplink is required.
  • Web - Apple JS SDK popup. On web, the Apple JS SDK popup returns the id_token directly to your JavaScript callback. No redirect flow is used.
  • Two response mode options for Android. The fragment mode redirects the browser directly to native-callback.html with #id_token in the hash - no backend POST handler needed. The form_post mode sends code, id_token, state, and user (name and email JSON, first login only) to your backend, which validates and redirects to native-callback.html with a session token.
  • Plain HTML callback file. public/native-callback.html is recommended over a React component for the callback page. React Router can strip the #id_token hash fragment on route change, causing tokens to disappear. The plain HTML file bypasses React Router entirely and reads the hash directly from the browser. Chrome Custom Tabs hides the URL bar, so the .html extension is never visible to users.
  • React, Vue, Vanilla JS, and HTML auth page examples. All auth page examples include the searchParams dependency array fix to handle the already-mounted page problem, where the deeplink updates the URL without remounting the component and the token handler never re-runs.
Apple Sign In requires a Services ID configured in the Apple Developer Console with your domain and return URL registered. The client secret JWT generated from your .p8 private key expires after 6 months - set a reminder to regenerate it before expiry or Apple Sign In will silently stop working.Full documentation is available at Apple Sign InPackages:A rebuild is required. No dashboard configuration changes are required beyond enabling the Apple JS SDK script tag and configuring your Apple Services ID credentials in your backend auth provider.
March 28, 2026
Analytics - AppsFlyer attribution and event tracking

AppsFlyer integration

Despia now includes a full AppsFlyer integration for install attribution, deep linking, in-app event tracking, and creator affiliate link support on both iOS and Android.What ships today:
  • Install attribution. The native AppsFlyer SDK is initialised automatically at launch on both iOS and Android. Attribution data is captured at install time, cached on-device, and injected into your web layer on every page load via despia.appsFlyerAttribution, despia.appsFlyerReferrer, and despia.appsFlyerUID. No setup code required.
  • Normalised referrer string. despia.appsFlyerReferrer provides a clean source string on every load - values like tiktok_ad, facebook_organic, google_ad, and organic - ready to use for onboarding personalisation and funnel branching without any parsing.
  • Deep linking. When a user opens the app via a campaign or creator OneLink URL, Despia resolves the deep link natively and navigates the WebView to the correct path automatically. deep_link_value maps directly to a route in your web app. No navigation code required from the web layer for fresh launches.
  • Re-engagement callback. For users who already have the app installed and tap a campaign link while the app is open, Despia calls window.onAppsFlyerDeepLink(data) with the full click event payload so your app can respond without a full page reload.
  • Creator and affiliate links. Deep link params support deep_link_sub1 through deep_link_sub5 for creator codes and affiliate IDs. Each creator can receive a unique OneLink URL. Attribution, commission tracking, and welcome personalisation are available from the same payload.
  • Event bridge. In-app events are forwarded from your web layer to the native AppsFlyer SDK via despia("appsflyer://log_event?..."). Standard af_ prefixed events map automatically to Meta and TikTok conversion events in their dashboards. Custom events appear in the AppsFlyer dashboard for funnel and retention analysis.
  • User identification. set_user_id, set_email, and set_phone are all supported. Emails and phone numbers are hashed with SHA256 automatically before transmission.
  • GDPR consent. set_consent accepts is_gdpr and has_consent params and passes them directly to the AppsFlyer SDK consent API.
  • On-demand data retrieval. Both get_uid and get_attribution support an await pattern - await despia("appsflyer://get_uid", ["appsFlyerUID"]) - for cases where you need the value immediately in the same execution flow.
  • Ad revenue tracking. Coming soon - despia("appsflyer://log_ad_revenue?...") will allow impression-level revenue reporting back to AppsFlyer from Meta, TikTok, and AdMob to enable LTV and ROAS reporting per acquisition channel.
Configuration is handled entirely in the Despia dashboard with no native code changes required. Go to Despia > App > Settings > Integrations > AppsFlyer to enter your dev key, Apple App ID, OneLink URLs, and ad platform credentials. Despia configures Universal Links on iOS and App Links on Android automatically from the values you enter.Full documentation is available at AppsFlyer.Packages:A rebuild is required after enabling the integration in the dashboard. No other integration code changes are required beyond calling the bridge methods documented above.
March 26, 2026
Local CDN - new query method to fetch all cached items

Local CDN - query all cached files

A new localcdn://query method is available on the Local CDN API, returning every cached file in a single call without requiring individual IDs.Previously, retrieving cached file metadata required passing a known list of index IDs to localcdn://read. There was no way to get a full inventory of the cache without tracking IDs separately in application state.What ships today:
  • localcdn://query. Calling await despia('localcdn://query', ['cdnItems']) returns the full cdnItems array containing every file currently in the local cache, across all folders.
  • Same response schema. Each item in the returned array follows the existing response schema - index, index_full, local_cdn, local_path, cdn, size, status, and created_at - identical to localcdn://read output.
Full reference documentation is available on the Local CDN reference page.No dashboard configuration changes or rebuild steps are required. Update despia-native to the latest version to access the new method.
March 30, 2026
Auth - Apple Sign In via Apple JS SDK

Apple Auth

Despia now supports Sign In with Apple using the Apple JS SDK across iOS, Android, and web, with platform-aware behaviour and full documentation.What ships today:
  • iOS native - native Face ID sheet. On iOS, the Apple JS SDK with usePopup: true opens the native Face ID / Apple ID sheet directly inside WKWebView. No oauth:// bridge is needed on iOS. The id_token is returned to your JavaScript callback with no page redirect, which avoids the blank white screen that causes App Store rejection when using a redirect-based flow.
  • Android native - oauth:// bridge. On Android, the oauth:// bridge opens Chrome Custom Tabs for the Apple OAuth flow. public/native-callback.html receives the id_token and code in the URL hash and fires the deeplink to close the tab. The oauth/ prefix in the deeplink is required.
  • Web - Apple JS SDK popup. On web, the Apple JS SDK popup returns the id_token directly to your JavaScript callback. No redirect flow is used.
  • Two response mode options for Android. The fragment mode redirects the browser directly to native-callback.html with #id_token in the hash - no backend POST handler needed. The form_post mode sends code, id_token, state, and user (name and email JSON, first login only) to your backend, which validates and redirects to native-callback.html with a session token.
  • Plain HTML callback file. public/native-callback.html is recommended over a React component for the callback page. React Router can strip the #id_token hash fragment on route change, causing tokens to disappear. The plain HTML file bypasses React Router entirely and reads the hash directly from the browser. Chrome Custom Tabs hides the URL bar, so the .html extension is never visible to users.
  • React, Vue, Vanilla JS, and HTML auth page examples. All auth page examples include the searchParams dependency array fix to handle the already-mounted page problem, where the deeplink updates the URL without remounting the component and the token handler never re-runs.
Apple Sign In requires a Services ID configured in the Apple Developer Console with your domain and return URL registered. The client secret JWT generated from your .p8 private key expires after 6 months - set a reminder to regenerate it before expiry or Apple Sign In will silently stop working.Full documentation is available at Apple Sign In.Packages:A rebuild is required. No dashboard configuration changes are required beyond enabling the Apple JS SDK script tag and configuring your Apple Services ID credentials in your backend auth provider.
March 28, 2026
Analytics - AppsFlyer attribution and event tracking

AppsFlyer integration

Despia now includes a full AppsFlyer integration for install attribution, deep linking, in-app event tracking, and creator affiliate link support on both iOS and Android.What ships today:
  • Install attribution. The native AppsFlyer SDK is initialised automatically at launch on both iOS and Android. Attribution data is captured at install time, cached on-device, and injected into your web layer on every page load via despia.appsFlyerAttribution, despia.appsFlyerReferrer, and despia.appsFlyerUID. No setup code required.
  • Normalised referrer string. despia.appsFlyerReferrer provides a clean source string on every load - values like tiktok_ad, facebook_organic, google_ad, and organic - ready to use for onboarding personalisation and funnel branching without any parsing.
  • Deep linking. When a user opens the app via a campaign or creator OneLink URL, Despia resolves the deep link natively and navigates the WebView to the correct path automatically. deep_link_value maps directly to a route in your web app. No navigation code required from the web layer for fresh launches.
  • Re-engagement callback. For users who already have the app installed and tap a campaign link while the app is open, Despia calls window.onAppsFlyerDeepLink(data) with the full click event payload so your app can respond without a full page reload.
  • Creator and affiliate links. Deep link params support deep_link_sub1 through deep_link_sub5 for creator codes and affiliate IDs. Each creator can receive a unique OneLink URL. Attribution, commission tracking, and welcome personalisation are available from the same payload.
  • Event bridge. In-app events are forwarded from your web layer to the native AppsFlyer SDK via despia("appsflyer://log_event?..."). Standard af_ prefixed events map automatically to Meta and TikTok conversion events in their dashboards. Custom events appear in the AppsFlyer dashboard for funnel and retention analysis.
  • User identification. set_user_id, set_email, and set_phone are all supported. Emails and phone numbers are hashed with SHA256 automatically before transmission.
  • GDPR consent. set_consent accepts is_gdpr and has_consent params and passes them directly to the AppsFlyer SDK consent API.
  • On-demand data retrieval. Both get_uid and get_attribution support an await pattern - await despia("appsflyer://get_uid", ["appsFlyerUID"]) - for cases where you need the value immediately in the same execution flow.
  • Ad revenue tracking. Coming soon - despia("appsflyer://log_ad_revenue?...") will allow impression-level revenue reporting back to AppsFlyer from Meta, TikTok, and AdMob to enable LTV and ROAS reporting per acquisition channel.
Configuration is handled entirely in the Despia dashboard with no native code changes required. Go to Despia > App > Settings > Integrations > AppsFlyer to enter your dev key, Apple App ID, OneLink URLs, and ad platform credentials. Despia configures Universal Links on iOS and App Links on Android automatically from the values you enter.Full documentation is available at AppsFlyer.Packages:A rebuild is required after enabling the integration in the dashboard. No other integration code changes are required beyond calling the bridge methods documented above.
March 26, 2026
Local CDN - new query method to fetch all cached items

Local CDN - query all cached files

A new localcdn://query method is available on the Local CDN API, returning every cached file in a single call without requiring individual IDs.Previously, retrieving cached file metadata required passing a known list of index IDs to localcdn://read. There was no way to get a full inventory of the cache without tracking IDs separately in application state.What ships today:
  • localcdn://query. Calling await despia('localcdn://query', ['cdnItems']) returns the full cdnItems array containing every file currently in the local cache, across all folders.
  • Same response schema. Each item in the returned array follows the existing response schema - index, index_full, local_cdn, local_path, cdn, size, status, and created_at - identical to localcdn://read output.
Full reference documentation is available on the Local CDN reference page.No dashboard configuration changes or rebuild steps are required. Update despia-native to the latest version to access the new method.
March 22, 2026
Local Server - generally available in beta

Local server

Despia now ships a local server for iOS and Android. Your web build downloads to the device on first launch and is served from an on-device HTTP server at http://localhost. From that point on, the app boots with zero network latency and works completely offline.What ships today:
  • On-device HTTP server. Assets are served from http://localhost, not file:// or a custom scheme. BrowserRouter, Vue Router, and any routing library that expects a real HTTP origin work without modification.
  • First-launch hydration. On first open, Despia fetches your web build from your existing hosting (Netlify, Vercel, AWS, or anything else) and caches it on the device. No migration required.
  • OTA updates. On startup, Despia fetches despia/local.json and compares the deployed_at timestamp with the cached value. If it has changed, the new build downloads in the background and applies on next launch. No app store review needed for HTML, CSS, JavaScript, image, or font changes.
  • @despia/local build plugin. Available for Vite, Webpack, Rollup, Nuxt, SvelteKit, Astro, Remix, esbuild, and any build system via a postbuild CLI hook. The plugin scans your output directory after each build and generates despia/local.json automatically.
  • despia-version-guard. A companion package for gating web UI features behind a minimum native runtime version. Supports React, Vue, Angular, Svelte, and Vanilla JS.
Store compliance. The local server downloads web content only (HTML, CSS, JS, images, fonts). No native code or executables are downloaded after submission. The approach follows patterns established by Expo and is compliant with Apple App Store Guideline 3.3.2 and the Google Play Malicious Behavior Policy.This feature is in final beta. To request access, email offlinemode@despia.com.Documentation: Local Server Introduction and Reference.Packages: