SECOND_POSTHOG_TOKEN when overriding the built-in
release default, and use SECOND_POSTHOG_HOST for non-US PostHog projects.
Capture path
Browser code does not send directly to PostHog. It posts events to Second’s same-origin/api/analytics/capture endpoint.
The web route:
- requires an authenticated, onboarded user
- allowlists the supported event names
- sanitizes property keys and values
- applies the current anonymization mode
- forwards the final payload to PostHog
Events
Second currently captures:page viewedonboarding finishedchat initiatedsidebar clickedimport existing app clickedimport existing app triggeredbuild completedbuild failedapproval shownapproval actedintegration setup startedintegration setup completedapp displayedapp agent triggeredapp agent finishedapp agent errorshowed suggestions tool calledsuggestion pickedagents approved
surface, such asworkspace_home,app_chat,settings,library, orworkspace_agentsroute_shape, such as/w/:workspace/apps/:objectId- small client context such as viewport size
release_versionrelease_packagerelease_runtimecli_launcher_versioncli_launcher_package
null unless the deployment sets release
environment variables.
Anonymized mode
When anonymization is on, the browser creates one stable local anonymous ID inlocalStorage:
anon_... UUID generated by Second. It is sent as the PostHog
distinct_id for anonymized events, so repeated events from the same browser
are grouped together without identifying the user.
Anonymized events deliberately:
- do not call PostHog
$identify - do not alias the anonymous ID to the real user ID
- set
$process_person_profile: false - strip user, workspace, app, run, agent, prompt, message, raw error, suggestion, URL, and referrer identifiers
- strip generic identifier-shaped properties such as
*_id,*_ids,*_email,*_name, and*_names
Non-anonymized mode
Users can turn off anonymization from the workspace account menu under Usage data settings. When anonymization is off, Second sends a PostHog$identify event for the
onboarded user and uses the Second user ID as the PostHog distinct_id.
Non-anonymized events may include the user, workspace, app, agent, message, and
screen properties needed for debugging and product analysis.
Screen recording
Screen recording is a separate opt-in inside Usage data settings. It is off by default, and enabling it also turns anonymization off because replay captures the actual Second interface for product debugging. Regular product analytics still use the same-origin/api/analytics/capture
route. Screen recording is the exception: PostHog session replay runs in the
browser through posthog-js, because replay is captured from the browser DOM and
cannot be produced by the server-side capture endpoint.
When screen recording is enabled, the browser loads the public PostHog project
token and host from Second’s authenticated analytics config route, identifies the
current onboarded user, and starts PostHog session recording. The SDK is
configured without PostHog pageview/autocapture product events so it does not
replace or duplicate Second’s sanitized analytics capture path.
When screen recording is disabled, anonymization is re-enabled, telemetry is
disabled, or the user signs out, Second stops PostHog session recording and
resets the browser SDK state on that tab. Browser-level password-field masking
from PostHog/rrweb still applies, but Second does not apply its anonymized
analytics redaction model to replay after the user explicitly enables recording.
Switching modes
Switching from anonymized to non-anonymized affects future events only. Second does not merge or alias the local anonymous ID into the identified PostHog person. That is intentional: PostHog’s standard frontend SDK can link anonymous history to a user afteridentify, but doing that here would make
the anonymized setting weaker. In Second, historical anonymized events remain
anonymous even if the same user later disables anonymization.
On sign-out, Second resets the local anonymous ID. This prevents two different
users sharing one browser profile from being grouped under the same anonymous
PostHog identity.