marca
Start free trial →
← All docs

Installing the snippet

The Marca snippet is one <script> tag. It loads a small bootstrap (under 2 KB gzipped) that shows a floating review button to signed-in reviewers and lazy-loads the review overlay only when someone opens it.

The tag

<script
  src="https://www.marca.dev/snippet/r.js"
  data-project="proj_XXXXXXXXXXXXXXXX"
  data-endpoint="https://www.marca.dev"
  defer
></script>

Attributes

AttributeRequiredNotes
srcyeshttps://www.marca.dev/snippet/r.js, or the short alias https://marca.dev/m.js.
data-projectyesYour project token (proj_…). Copy it from the project's Embed tab.
data-endpointrecommendedThe Marca origin the snippet talks to. Defaults to https://marca.dev when omitted. Set it explicitly to the host you copied the snippet from.
deferrecommendedLoads without blocking page render.

If data-project is missing or malformed, the snippet logs a warning and does nothing — it never half-loads.

Allowed origins

Each project has an allow-list of origins the snippet may run on, seeded from the URL you gave when creating the project. If the snippet loads on an origin that isn't listed, the bootstrap is rejected. Add staging and production origins to the project so the same tag works in both.

Framework notes

  • Next.js — render the tag with the next/script component using strategy="afterInteractive", or drop a plain <script defer> in your root layout <head>.
  • Vite / SPA — add the tag to index.html; the snippet handles client-side route changes.
  • Static sites — paste it into your shared <head> partial.

Content Security Policy

If your site sets a CSP, allow the Marca origin:

script-src 'self' https://www.marca.dev;
connect-src 'self' https://www.marca.dev;
img-src 'self' data: blob: https:;

Privacy

The snippet only sends data when a reviewer explicitly creates or edits a pin — there is no background tracking, no scroll/keystroke logging, and no speculative capture. When a DOM snapshot is taken, password, payment, and other credential fields are redacted in the browser before anything is sent. See the reviewer notice for copy you can adapt for your own privacy policy.