How to Create a Session ID for the Device Data Collector (DDC)

The session identifier (or session ID, s, sessionId, or sess) is used to join device data with login or order information. The customer determines what the session ID is, but must follow the Session ID requirements.


If sending a Risk Inquiry Service request, the Risk Inquiry Service process post uses the session identifier that is created when you initiated the Device Data Collector (DDC). The session ID used here is not the same concept as a web session. The session ID used for the integration must be unique per each risk assessment transaction.

Implementation Details

Generating your own session ID allows control over the value that is passed. Session IDs can be created either client-side or server-side.

Once generated, send the session ID using the s parameter in the URL to download the Device Data Collection SDK (web implementation only).

The following example assumes the session ID is abcdefg12345abababab123456789012:

<script type='text/javascript' src='https://DATA_COLLECTOR_URL/collect/sdk?m=123456&s=abcdefg12345abababab123456789012'> </script>

Session ID requirements

  • Must be unique per request and for a minimum of 30 days

  • Must contain only alphanumeric characters (0-9, a-z, or A-Z), dashes (-) or underscores (_)

  • Session ID values cannot exceed 32 characters in length


If the session ID exceeds 32 characters or contains any invalid characters, an error is returned when attempting to download the SDK.

Code Examples for Generating a Session ID

A quick and convenient way to generate a valid session ID is to generate a Universally Unique Identifier (UUID) and remove the dashes – this shortens the value to 32 characters (refer to Session ID requirements). The following examples use the UUID method to generate the session ID:

JavaScript (client-side)/NodeJS (server-side)

//npm install uuidv4
const { uuid } = require('uuidv4');
const sessionID = uuid().replace(/-/g, '');


Guid myuuid = Guid.NewGuid();
string sessionID = myuuid.ToString().Replace("-",""); 


String sessionID = UUID.randomUUID().toString().replaceAll("-","");


$SESS = substr(uniqid().uniqid().uniqid(),0,32);


import uuid
sess = str(uuid.uuid4()).replace("-","")


require 'securerandom'
sessionID = SecureRandom.uuid.gsub("-","")

Android (Kotlin)

deviceSessionID = UUID.randomUUID().toString().replace('-','');

Accessing the Session ID

The session ID is available to the script on the page through the ka.sessionId attribute that is included in the downloaded Device Data Collection SDK. For further information, review How to Integrate the Web Client SDK for Device Data Collection into Your Website.

Using the Session ID in the Server-Side Call

Submit the session ID used in the Device Data Collection in the server-side API call. If the session ID is generated on the client side (web browser or native mobile app), a common approach is to send the session ID to the server as a hidden parameter in the payment or login form. If the session ID is generated server-side, keep the session ID in the session storage (or similar location) to retrieve and pass in the API call after payment or login is complete.

Frequently Asked Questions (FAQ)

What happens if I leave the page after a session ID is created, and then return to complete the order?

There can be multiple session identifiers or session IDs created, but only the last session ID will be used to link the device data with the RIS transaction.

What happens if JavaScript does not run on an end-user’s computer?

If we are generating the session ID for you, a session ID will not be generated if JavaScript does not run. If you create a session ID server side, this issue is prevented.

Was this article helpful?
2 out of 3 found this helpful