Session Replay Standalone SDK
Session Replay instrumentation
Session Replay isn't enabled by default, and requires setup beyond the standard Amplitude instrumentation.
This article covers the installation of Session Replay using the standalone SDK. If you use a provider other than Amplitude for in-product analytics, choose this option. If your site is already instrumented with Amplitude Browser SDK, use the Session Replay Browser SDK Plugin.
Session Replay and performance
Amplitude built Session Replay to minimize impact on the performance of web pages on which it's installed by:
- Asynchronously processing through webhooks (if enabled) for efficient compression and optimizing bundle sizes.
- Using batching and lightweight compression to reduce the number of network connections and bandwidth.
- Optimizing DOM processing.
Bundle size
The Session Replay standalone SDK adds to your application's bundle size.
For the most up-to-date bundle size information, check the npm package page or BundlePhobia.
Runtime performance
Session Replay runs asynchronously and processes replay data in the background to avoid blocking the main thread. Performance characteristics include:
- DOM capture: DOM snapshot capture typically adds less than 5ms of processing time for each page interaction. Initial page load snapshot capture may take 10-50ms depending on page complexity.
- Memory usage: Session Replay stores replay events in memory or IndexedDB (configurable using
storeType). Memory usage scales with session length and page complexity, typically ranging from 1-10 MB for each active session. - CPU impact: With default settings, Session Replay uses less than 2% of CPU time during normal operation. Compression operations are deferred to browser idle periods when
performanceConfig.enabledistrue(default). - Network bandwidth: Replay data is compressed before upload, typically reducing payload size by 60-80%. Network requests are batched and sent asynchronously.
Performance optimization
To optimize Session Replay performance:
- Enable
useWebWorkerto move compression off the main thread, reducing CPU impact on the main thread. - Configure
performanceConfig.timeoutto control when deferred compression occurs. - Use
sampleRateto reduce the number of sessions captured, which directly reduces CPU and memory usage. - Set
storeTypetomemoryif you don't need persistence across page reloads, reducing IndexedDB overhead.
For detailed performance testing results, see the Session Replay performance testing blog post.
Session Replay captures changes to a page's Document Object Model (DOM), including elements in the shadow DOM, then replays these changes to build a video-like replay. For example, at the start of a session, Session Replay captures a full snapshot of the page's DOM. As the user interacts with the page, Session Replay captures each change to the DOM as a diff. When you watch the replay of a session, Session Replay applies each diff back to the original DOM in sequential order, to construct the replay. Session replays have no maximum length.
Before you begin
Use the latest version of the Session Replay standalone SDK above version {{sdk_versions:session_replay_standalone}}. For more information, see the change log on GitHub.
Session Replay Standalone SDK requires that:
- Your application is web-based.
- You track sessions with a timestamp, which you can pass to the SDK. You inform the SDK whenever a session timestamp changes.
- You can provide a device ID to the SDK.
- The
Session IDandDevice IDyou pass to the Standalone SDK must match those sent as event properties to Amplitude.
The Standalone SDK doesn't provide Session management capabilities. Your application or a third-party integration must update the SDK with changes to Session ID and Device ID.
Quickstart
Install the plugin with npm or yarn.
Unified SDK
Install the Browser Unified SDK to access the Experiment SDK along with other Amplitude products (Analytics, Session Replay). The Unified SDK provides a single entry point for all Amplitude features and simplifies the integration process by handling the initialization and configuration of all components.
# Install Session Replay SDK only
npm install @amplitude/session-replay-browser --save
# Or install Unified SDK to get access to all Amplitude products
npm install @amplitude/unified
Configure your application code.
- Call
sessionReplay.initto begin collecting replays. Pass the API key, session identifier, and device identifier. - When the session identifier changes, pass the new value to Amplitude with
sessionReplay.setSessionId. - Amplitude automatically creates the
[Amplitude] Replay Capturedevent to link replays with your analytics data. See Session Replay ID for more information.
import * as sessionReplay from "@amplitude/session-replay-browser";
import 3rdPartyAnalytics from 'example'
const AMPLITUDE_API_KEY = "key"
// Configure the SDK and begin collecting replays
await sessionReplay.init(AMPLITUDE_API_KEY, {
deviceId: "<string>",
sessionId: "<string | number>",
optOut: "<boolean>",
sampleRate: "<number>"
}).promise;
// Call whenever the session id changes
await sessionReplay.setSessionId(sessionId).promise;
Session Replay instrumentation happens in the context of an Amplitude Project. Your replay quota is defined on the Organization level. As a result, you may have multiple Session Replay implementations, across multiple projects each with their own sample rate, that pull from the same quota.
You can also use script tags to instrument Session Replay:
<script src="https://cdn.amplitude.com/libs/session-replay-browser-{{sdk_versions:session_replay_standalone}}-min.js.gz"></script>
<script>
window.sessionReplay.init(AMPLITUDE_API_KEY, {
deviceId: "<string>",
sessionId: "<string | number>",
sampleRate: "<number>"
//...other options
})
// Call whenever the session id changes
window.sessionReplay.setSessionId(sessionId);
</script>
Session Replay ID
Amplitude automatically creates the [Amplitude] Replay Captured event when Session Replay captures a session. This event includes the [Amplitude] Session Replay ID property, which links the replay to your analytics data. No manual instrumentation is required.
[Amplitude] Session Replay ID is a unique identifier for the replay, and is different from [Amplitude] Session ID, which is the identifier for the user's session by default.
The session replay ID has the format <deviceId>/<sessionId>. Because Session Replay uses / as a delimiter, deviceId and custom session ID string values can't contain /. Accepted characters: a-z A-Z 0-9 _ - . | @ : =. If you need an additional character, contact Amplitude support.
Amplitude links replays with a session replay ID. To combine multiple sessions into a single replay, ensure each session references the same device ID and session ID.
Legacy implementations
If you have a legacy implementation that manually adds the [Amplitude] Session Replay ID property to events using getSessionReplayProperties(), this continues to work. However, Amplitude's automatic [Amplitude] Replay Captured event is the recommended approach.
Not seeing replays?
If replays don't appear in the Amplitude UI, check that you see the [Amplitude] Replay Captured event in your project. If you don't see this event, contact Amplitude support.
Configuration
Pass the following configuration options when you initialize the Session Replay SDK.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
deviceId | string | Yes | undefined | Sets an identifier for the device running your application. |
sessionId | string | number | Yes | undefined | Sets an identifier for the user's current session. Use a Unix timestamp in milliseconds (number) for standard session tracking, or a custom string for custom session definitions. Custom string values must follow the accepted character set. |
sampleRate | number | No | 0 | Use this option to control how many sessions to select for replay collection. The number should be a decimal between 0 and 1, for example 0.4, representing the fraction of sessions to have randomly selected for replay collection. Over a large number of sessions, 0.4 would select 40% of those sessions. Sample rates as small as six decimal places (0.000001) are supported. |
optOut | boolean | No | false | Sets permission to collect replays for sessions. Setting a value of true prevents Amplitude from collecting session replays. |
flushMaxRetries | number | No | 5 | Sets the maximum number of retries for failed upload attempts. This is only applicable to errors that Amplitude can retry. |
logLevel | number | No | LogLevel.Warn | LogLevel.None or LogLevel.Error or LogLevel.Warn or LogLevel.Verbose or LogLevel.Debug. Sets the log level. |
loggerProvider | Logger | No | Logger | Sets a custom loggerProvider class from the Logger to emit log messages to desired destination. |
serverZone | string | No | US | EU or US. Sets the Amplitude server zone. Set this to EU for Amplitude projects created in EU data center. |
privacyConfig | object | No | undefined | Supports advanced masking configurations with CSS selectors. Review Mask on-screen data for more information. |
applyBackgroundColorToBlockedElements | boolean | No | false | If true, applies a background color to blocked elements for visual masking. This helps visualize which elements are blocked from being captured in the replay. |
debugMode | boolean | No | false | Adds additional debug event property to help debug instrumentation issues (such as mismatching apps). Only recommended for debugging initial setup, and not recommended for production. |
configServerUrl | string | No | undefined | Specifies the endpoint URL to fetch remote configuration. If provided, it overrides the default server zone configuration. |
trackServerUrl | string | No | undefined | Specifies the endpoint URL to send session replay data. If provided, requests from the SDK will be forwarded there instead of the default SR endpoint. |
shouldInlineStylesheet | boolean | No | true | If stylesheets are inlined, the contents of the stylesheet are stored. During replay, the stored stylesheet is used instead of attempting to fetch it remotely. This prevents replays from appearing broken due to missing stylesheets. Inlining stylesheets may not work in all cases. If this is undefined stylesheets are inlined. |
storeType | string | No | idb | Specifies how replay events should be stored. idb uses IndexedDB to persist replay events when all events can't be sent during capture. memory stores replay events only in memory, meaning events are lost when the page is closed. If IndexedDB is unavailable, the system falls back to memory. |
performanceConfig.enabled | boolean | No | true | If enabled, event compression will be deferred to occur during the browser's idle periods. |
performanceConfig.timeout | number | No | undefined | Optional timeout in milliseconds for the requestIdleCallback API. If specified, this value sets a maximum time for the browser to wait before executing the deferred compression task, even if the browser isn't idle. |
useWebWorker | boolean | No | false | Uses a web worker to compress replay events. This improves performance by moving compression off the main thread. |
API endpoints
Session Replay uses the following API endpoints:
- Data ingestion:
- US:
https://api-sr.amplitude.com/sessions/v2/track. - EU:
https://api-sr.eu.amplitude.com/sessions/v2/track. - Session Replay sends captured replay data to these endpoints.
- US:
- Remote configuration:
- US:
https://sr-client-cfg.amplitude.com/config. - EU:
https://sr-client-cfg.eu.amplitude.com/config. - Session Replay fetches remote configuration from these endpoints.
- US:
If you set up a domain proxy, forward requests to these endpoints. You can override these defaults using the trackServerUrl and configServerUrl configuration options.
Mask on-screen data
The Session Replay SDK offers three ways to mask user input, text, and other HTML elements.
| Element | Description |
|---|---|
<input> | Session Replay masks all text input fields by default. When a users enters text into an input field, Session Replay captures asterisks in place of text. To unmask a text input, add the class .amp-unmask. For example: <input class="amp-unmask">. |
| text | To mask text within non-input elements, add the class .amp-mask. For example, <p class="amp-mask">Text</p>. When masked, Session Replay captures masked text as a series of asterisks. |
| non-text elements | To block a non-text element, add the class .amp-block. For example, <div class="amp-block"></div>. Session Replay replaces blocked elements with a placeholder of the same dimensions. |
Session Replay supports setting a masking level on the Session Replay Settings screen in Amplitude. This includes Light, Medium, and Conservative settings.
Session Replay settings also enable remote masking overrides. These enable users in your organization to configure or update masking after implementation.
In the event of a conflict, Session Replay defers to the remote setting. For example:
| .selector-1 | .selector-2 | .selector-3 | |
|---|---|---|---|
| Local setting | mask | -- | mask |
| Remote setting | unmask | unmask | -- |
| Result | unmask | unmask | mask |
In this example, .selector-1 has a local setting and a remote setting. The result follows the remote setting, and overrides the setting in the SDK or plugin implementation.
Specify elements to block or mask in the privacyConfig object during configuration.
// This configuration blocks .no-track and #ads, sets the default mask level,
// and defines the mask and unmask selectors.
await sessionReplay.init(AMPLITUDE_API_KEY, {
privacyConfig: {
blockSelector: ['.no-track', '#ads'],
defaultMaskLevel: 'medium',
maskSelector: ['.sensitive-data', '.user-email'],
unmaskSelector: ['.public-info', '#main-content']
}
}).promise;
CSS selectors
Session Replay's configuration supports many types of CSS Selector. Specify an element tag (h1 or textarea), a class name (.hidden) or a data attribute.
Data attributes may be useful if your class names change often due to hashing. To use data attributes, add a custom attribute like data-amp-unmask or data-amp-mask to any HTML element. For example, <textarea data-amp-unmask></textarea>, then enclose the attribute in square brackets when you specify the selector, [data-amp-unmask].
Remote configuration
If remote configuration is enabled, and fails to load, Session Replay doesn't capture any sessions. This ensures that Amplitude respects any privacy settings you define in the Admin interface, and you don't accidentally capture sensitive data.
User opt-out
Session Replay provides an option for opt-out configuration. This prevents Amplitude from collecting session replays when passed as part of initialization. For example:
// Pass a boolean value to indicate a users opt-out status
await sessionReplay.init(AMPLITUDE_API_KEY, {
optOut: true,
}).promise;
Content Security Policy (CSP)
If your web application uses a strict Content Security Policy, add the following directives:
Required CSP directives
script-src: https://cdn.amplitude.com;
connect-src: https://api-secure.amplitude.com;
worker-src: blob:;
CSP directives reference
| Directive | Domain | Required | Description |
|---|---|---|---|
script-src | https://cdn.amplitude.com | Yes, if using CDN | Allows loading the Session Replay SDK from Amplitude's CDN. |
connect-src | https://api-secure.amplitude.com | Yes (US) | Allows sending replay data to Amplitude's US servers. |
connect-src | https://api.eu.amplitude.com | Yes (EU) | Allows sending replay data to Amplitude's EU servers. Required if you set serverZone: "EU". |
worker-src | blob: | Yes, if using web workers | Required if you enable the useWebWorker option for replay event compression. |
API endpoints
Session Replay sends data to the following endpoints:
| Region | Endpoint | Purpose |
|---|---|---|
| US (default) | https://api-secure.amplitude.com/sessions/track | Replay data ingestion. |
| EU | https://api.eu.amplitude.com/sessions/track | Replay data ingestion for EU data residency. |
| US (default) | https://api-secure.amplitude.com/sessions/config | Remote configuration (sample rate settings). |
| EU | https://api.eu.amplitude.com/sessions/config | Remote configuration for EU data residency. |
Example CSP header
For US data center:
Content-Security-Policy: script-src 'self' https://cdn.amplitude.com; connect-src 'self' https://api-secure.amplitude.com; worker-src 'self' blob:;
For EU data center:
Content-Security-Policy: script-src 'self' https://cdn.amplitude.com; connect-src 'self' https://api.eu.amplitude.com; worker-src 'self' blob:;
If you use the configServerUrl or trackServerUrl configuration options to specify custom endpoints, add those domains to your connect-src directive instead.
EU data residency
Session Replay is available to Amplitude Customers who use the EU data center. Set the serverZone configuration option to EU during initialization. For example:
// For European users, set the serverZone to "EU"
await sessionReplay.init(AMPLITUDE_API_KEY, {
serverZone: "EU",
}).promise;
Sampling rate
By default, Session Replay captures 0% of sessions for replay. Use the sampleRate configuration option to set the percentage of total sessions that Session Replay captures. For example:
// This configuration samples 1% of all sessions
await sessionReplay.init(AMPLITUDE_API_KEY, {
sampleRate: 0.01
}).promise;
To set the sampleRate consider the monthly quota on your Session Replay plan. For example, if your monthly quota is 2,500,000 sessions, and you average 3,000,000 monthly sessions, your quota is 83% of your average sessions. In this case, to ensure sampling lasts through the month, set sampleRate to .83 or lower.
Keep the following in mind as you consider your sample rate:
- When you reach your monthly session quota, Amplitude stops capturing sessions for replay.
- Session quotas reset on the first of every month.
- Use sample rate to distribute your session quota over the course of a month, rather than using your full quota at the beginning of the month.
- To find the best sample rate, Amplitude recommends that you start low, for example
.01. If this value doesn't capture enough replays, raise the rate over the course of a few days. For ways to monitor the number of session replays captured, see View the number of captured sessions.
Session Replay supports remote sampling rate settings. This enables users in your organization to configure or update the sampling rate of your project after implementation, without a code change. In the event of a conflict, Session Replay defaults to the remote setting. For more information, see Account Settings.
Disable replay collection
Once enabled, Session Replay runs on your site until either:
- The user leaves your site
- You call
sessionReplay.shutdown()
Call sessionReplay.shutdown() before a user navigates to a restricted area of your site to disable replay collection while the user is in that area.
Call sessionReplay.init(API_KEY, {...options}) to re-enable replay collection when the return to an unrestricted area of your site.
You can also use a feature flag product like Amplitude Experiment to create logic that enables or disables replay collection based on criteria like location. For example, you can create a feature flag that targets a specific user group, and add that to your initialization logic:
import * as sessionReplay from "@amplitude/session-replay-browser";
import 3rdPartyAnalytics from 'example'
const AMPLITUDE_API_KEY = <...>
await sessionReplay.init(AMPLITUDE_API_KEY, {
deviceId: <string>,
sessionId: <string | number>,
optOut: <boolean>,
sampleRate: <number>
}).promise;
Data retention
Session replay uses existing Amplitude tools and APIs to handle privacy and deletion requests.
Consent management and Session Replay
While privacy laws and regulations vary across states and countries, certain constants exist, including the requirements to disclose in a privacy notice the categories of personal information you are collecting, the purposes for its use, and the categories of third parties with which personal information is shared. When implementing a session replay tool, you should review your privacy notice to make sure your disclosures remain accurate and complete. And as a best practice, review your notice with legal counsel to make sure it complies with the constantly evolving privacy laws and requirements applicable to your business and personal information data practices.
Retention period
If your Amplitude plan includes Session Replay, Amplitude retains raw replay data for 30 days from the date of ingestion.
Purchase extra retention time, up to a maximum of 12 months. For more information, contact Amplitude Support.
If you purchase extra session volume, Amplitude retains raw replay data for up to 12 months from the date of ingestion. If you need a more strict policy, contact Amplitude support to set the value to 30 days.
Changes to the retention period impact replays ingested after the change. Sessions captured and ingested before a retention period change retain the previous retention period.
Replays that are outside of the retention period aren't viewable in Amplitude.
DSAR API
The Amplitude DSAR API returns metadata about session replays, but not the raw replay data. Amplitude automatically creates the [Amplitude] Replay Captured event when Session Replay captures a session. This event includes the [Amplitude] Session Replay ID property, which provides information about the sessions collected for replay for the user.
{
"amplitude_id": 123456789,
"app": 12345,
"event_time": "2020-02-15 01:00:00.123456",
"event_type": "first_event",
"server_upload_time": "2020-02-18 01:00:00.234567",
"device_id": "your device id",
"user_properties": { ... },
"event_properties": {
"[Amplitude] Session Replay ID": "cb6ade06-cbdf-4e0c-8156-32c2863379d6/1699922971244"
},
"session_id": 1699922971244,
}
Data deletion
Session Replay uses Amplitude's User Privacy API to handle deletion requests. Successful deletion requests remove all session replays for the specified user.
When you delete the Amplitude project on which you use Session Replay, Amplitude deletes that replay data.
Bot filter
Session Replay uses the same block filter available in the Amplitude app. Session Replay doesn't block traffic based on event or user properties.
Session Replay storage
Session Replay doesn't set cookies on the user's browser. Instead, it relies on a browser storage option called IndexedDB by default. This option enables continuous replay collection during a session in which the user navigates browser tabs or closes and reopens a tab. The SDK cleans up the data it stores in IndexedDB and shouldn't impact the user's disk space.
If the environment doesn't support IndexedDB, Session Replay falls back to an in-memory storage option. In-memory storage is less durable and data is lost when the user closes their browser window. Set the config option storeType to 'memory' to force in-memory storage.
If a user opts out of all cookies on your site, use the optOut configuration option to disable replay collection for that user.
IndexedDB best practices
To ensure that IndexedDB is initialized and working properly:
Review CSP headers to ensure they're not overly restrictive. Ensure
default-srcandscript-srcdirectives allow necessary sources.Perform IndexedDB operations within the same origin. Cross-origin restrictions can block IndexedDB operations.
Confirm that users use a modern browser that supports IndexedDB. Amplitude recommends the latest versions of Chrome, Firefox, Safari, Edge, or Opera.
Known limitations
Keep the following limitations in mind as you implement Session Replay:
- Session Replay doesn't stitch together replays from a single user across multiple projects. For example:
- You instrument your marketing site and web application as separate Amplitude projects with Session Replay enabled in each.
- A known user begins on the marketing site, and logs in to the web application.
- Amplitude captures both sessions.
- The replay for each session is available for view in the host project.
- Session Replay can't capture the following HTML elements:
- Canvas
- WebGL
objecttags including plugins like Flash, Silverlight, or Java. Session replay supportsobject type="image"- Lottie animations
<iframe>elements from a different origin- Assets that require authentication, like fonts, CSS, or images
- Session Replay isn't compatible with ad blocking software.
Troubleshooting
For more information about individual statuses and errors, see the Session Replay Ingestion Monitor.
CSS styling doesn't appear in replay
When Amplitude captures a replay, it doesn't download and store CSS files or other static assets that are part of your application or site. Session Replay stores references to these files, and uses those references while it reconstructs the replay. In some situations, the styling present in the replay may differ from your application for the following reasons:
- Assets on your site move or change name. This can happen when you deploy a new version of your application.
- Assets on your site are behind access controls that prevent Amplitude from fetching them.
To help resolve CSS loading issues:
- Ensure your domain is publicly accessible. If you store assets on
localhost, try moving them to a staging environment. - Your CDN should keep track of old stylesheets for older replays. If the content of the same stylesheet changes over time, try to append a unique string or hash to the asset URL. For example,
stylesheet.css?93f8b89. - Add
app.amplitude.comorapp.eu.amplitude.comto the list of domains that your server's CORS configuration permits.
Replay length and session length don't match
In some scenarios, the length of a replay may exceed the time between the [Amplitude] Start Session and [Amplitude] End Session events. This happens when a user closes their browser or browser tab and [Amplitude] End Session occurs, but the Browser SDK and Session Replay plugin haven't yet processed it. When the user visits that page again, the SDK and plugin process the event and send it to Amplitude, along with the replay. You can verify this scenario occurs if you see a discrepancy between the End Session Client Event Time and the Client Upload Time.
Session replays may not appear in Amplitude due to:
- Content security policy
- Blocked JavaScript
- No events triggered through the browser SDK in the current session
- Sampling
Local development and focus state
The Session Replay SDK and plugin capture only the page that's in focus. When you develop locally with the browser console open, focus states may not work as expected. If you don't see replays in Amplitude, try to enable debugMode. In this mode, Session Replay ignores the focus handle and enables extra debugging information.
const sessionReplayTracking = window.sessionReplay.plugin({
debugMode: true,
sampleRate: 1,
});
Content security policy
When you add the Session Replay script to your site, visit a page on which the Session Replay SDK is running, and open your browser's developer tools.
Check for any error messages in the JavaScript console that contain the text Content Security Policy. For example, Refused to connect to 'https://api-secure.amplitude.com/sessions/track' because it violates the document's Content Security Policy.
To resolve this error, update your site's content security policy to allow connection to Amplitude's APIs.
Blocked JavaScript
Browser extensions or network security policy may block the Session Replay SDK. Check your browser's developer tools to see if requests fail, and if so, add an exception for the blocked domains.
{{if type == "plugin"}}
No events triggered through the browser SDK in the current session
Session Replay requires that at least one event in the user's session has the [Amplitude] Session Replay ID property. The Browser SDK Session Start and Session End events include this property by default. If you instrument your events with any SDK other than the Amplitude Browser SDK 2, use the Session Replay Standalone SDK and ensure you tag your events with the necessary event properties.
For local testing, you can force a Session Start event to ensure that Session Replay functions.
- Open your browser's developer tools, and delete any cookie that begins with
AMP_. - Close developer tools and refresh the page.
- In Amplitude, in the User Lookup Event Stream, you should see a Session Start event that includes the
[Amplitude] Session Replay IDproperty. After processing, the Play Session button should appear for that session. {{/if}}
Sampling
As mentioned above, the default sampleRate for Session Replay is 0. Update the rate to a higher number. For more information see, Sampling rate.
Some sessions don't include the Session Replay ID property
Session replay doesn't require that all events in a session have the [Amplitude] Session Replay ID property, only that one event in the session has it. Reasons why [Amplitude] Session Replay ID may not be present in an event include:
If you instrument an event with a source different from the source you connect to Session Replay. For example, your application may send events from a backend source, rather than the Browser SDK.
Session Replay processing errors
In general, replays should be available within minutes of ingestion. Delays or errors may be the result of one or more of the following:
- Mismatching API keys or Device IDs. This can happen if Session Replay and standard event instrumentation use different API keys or Device IDs.
- Session Replay references the wrong project.
- Short sessions. If a user bounces within a few seconds of initialization, the SDK may not have time to upload replay data.
- Page instrumentation. If Session Replay isn't implemented on all pages a user visits, their session may not capture properly.
- Replays older than the set retention period (defaults to 30 days, or 90 days if you purchase extra volume).
Was this helpful?