Widget
One script tag, two IDs, a signed user token. Star ratings, threaded reviews, reactions. Vanilla DOM, grayscale chrome that disappears into your product.
Star ratings, threaded reviews, reactions, and moderation — embedded in your product with two IDs and a signed JWT. Ship today. revws handles persistence, auth federation, and rendering.
Quickstart
Every product gets a public id (pub_…) and a signing secret (sk_…) in the dashboard. The secret stays on your server; rotate it any time.
Your users, your identity — revws never owns accounts.
# Your backend mints a short-lived JWT per signed-in user.
import jwt, time
token = jwt.encode(
{
"iss": "pub_...", # your product id
"sub": user.id, # YOUR user id
"name": user.display_name,
"exp": int(time.time()) + 600,
},
PRODUCT_SIGNING_SECRET, # sk_... from the dashboard
algorithm="HS256",
)The widget mounts, fetches the thread, and renders. Theme with one CSS variable.
<script src="https://cdn.revws.io/v1/widget.js"
data-product="pub_..."
data-page="<your page id>"
data-user-token="<signed JWT>"></script>
<div id="revws"></div>What we do
One script tag, two IDs, a signed user token. Star ratings, threaded reviews, reactions. Vanilla DOM, grayscale chrome that disappears into your product.
GET /v1/threads, POST /v1/reviews, POST /v1/reactions. For server-side rendering, custom UIs, mobile clients, and exports.
review.created, review.deleted — signed payloads so your policy engine can act on every event. Not live yet; moderation runs in the dashboard today.
Pricing
Enterprise — contract pricing, per-workspace limits, priority support. Talk to us.
These answers run on revws itself — read them, or post your own question below and we'll reply.
FAQ
Your backend signs a short-lived HS256 JWT with your product's signing secret — two IDs and a token, nothing else to wire up. The widget sends it as a bearer on every call, and tokens live at most 15 minutes. Your users never create a revws account, so we never own their identity or email them.
It's built to disappear into your product. The chrome is grayscale and inherits your font, and you set your brand color by overriding one CSS variable, --revws-accent. Need more control? The markup is plain, semantic DOM with stable class names, so your own stylesheet can restyle any part of it. No iframe, no theme config file, no fighting our CSS.
Under 30 KB gzipped — today's build is comfortably below the budget. It's vanilla DOM with no framework runtime, and it paints a full thread from a single API call, targeting under 150 ms at p95.
The reviews and replies your users write through the public API — that's the one metered unit, and it's what your plan's monthly review cap counts. Reactions never count. Reads don't count against that review cap either, but they aren't unlimited: widget loads carry their own fair-use ceiling that scales with your tier. You're billed for what gets written, and loads just need to stay in a sensible range for your plan.
Depends which cap, and both scale with your plan. Writes: hit your monthly review cap and new reviews pause until the next UTC month, while everything already posted keeps rendering — nothing is deleted. Reads: widget loads carry a generous fair-use ceiling, so they don't hard-stop; if you're steadily over it we'll reach out about the right tier rather than break your widget. Free sits lowest on both, and each paid tier raises them.
You do. Every thread and review is readable through the REST API with your own signed tokens, so a full export is a script, not a support ticket. Delete your product and the keys — and the data — go with it. No ads, no trackers, no selling data, ever.
Yes. Every review lands in a moderation view in your dashboard where you can hide, restore, or edit anything. Blocklist rules run automatically on every tier — a handful on free, many more as you scale up. The identity on each review is the id your JWT carried, so you always know exactly who wrote what.
The REST API and the drop-in widget already work with any stack — two IDs and a script tag. Framework wrappers (React/Vue) and server SDKs are on the roadmap, but the raw API isn't going anywhere, so you won't be stuck waiting on one.
Ready when you are
Private beta — keys granted within a day.