Skip to content

Autocapture & privacy

With autocapture: true (the default) the SDK records page interactions without any instrumentation: clicks, form submits and pageviews from the first minute. It ships as a lazy chunk — with autocapture: false the code is never even downloaded.

Every captured interaction produces the same event, $autocapture, described by its properties:

  • $event_type: click | submit | change.
  • $elements: the DOM chain from the interaction target upward (about 10 levels). Per element: tag, classes, attr_id, text, nth_child, and href for links.

A single event keeps the event namespace small: “clicked element X” is a filter over $elements in queries, not a separate event name.

  • $pageview fires on page load.
  • Client-side navigations fire it too: the SDK hooks the History API (pushState, replaceState, popstate), so single-page apps get a $pageview per route change with no router integration.
  • $pageleave fires on pagehide.

Autocaptured or not, every event carries $current_url, $referrer, $session_id, $device_type, $screen_width, $screen_height, $lib, $lib_version, and $utm_source / $utm_medium / $utm_campaign / $utm_term / $utm_content parsed from the URL.

These are hard guarantees, not defaults:

  • Input values are never captured. A change interaction records that something changed — never what.
  • Password fields don’t even produce an event: a change on input[type=password] is ignored entirely.
  • Session replay is a separate, opt-in system with its own (stricter) privacy defaults.

In your markup — add data-kilden-no-capture to any element to exclude it and all its descendants:

<div data-kilden-no-capture>
<!-- nothing in here produces $autocapture events,
and session replay won't record it either -->
</div>

In init options — pass an object instead of true:

kilden.init('YOUR_WRITE_KEY', {
autocapture: {
captureClicks: true, // default true
captureSubmits: true, // default true
captureChanges: false, // default false
ignoreSelectors: ['.sensitive', '#admin-panel'],
maskAllText: false, // true replaces all $elements text with "*"
allowUrls: [/^https:\/\/app\.example\.com/], // restrict to matching URLs
},
});

In codebeforeSend (or a before plugin) sees every $autocapture event and can transform or drop it:

kilden.init('YOUR_WRITE_KEY', {
beforeSend(event) {
if (event.event === '$autocapture' && location.pathname.startsWith('/admin')) {
return null;
}
return event;
},
});

Events and properties starting with $ are reserved for the Kilden system ($pageview, $autocapture, $identify, …). Sending your own $-prefixed event from track() logs a debug warning but is still delivered — the SDK never breaks a client over a convention. Full list in Events & properties.