eyepup

What Is Session Replay? A Plain-English Guide for 2026

Eduard CristeaFounder, Eyepup7 min read

Session replay is software that records what real visitors do on your website or app — every click, scroll, mouse movement, key press, form input, page change, and console error — and lets you watch a pixel-accurate replay of the session afterward like a video. Behind the scenes it captures the DOM mutations (changes to the page) plus user inputs and stitches them together on playback. The most common open-source library underneath modern session replay tools is rrweb.

Key takeaways

  • Session replay does not record video — it records DOM mutations and inputs, then re-renders them as a video on playback. This is why it's lightweight (~2 KB/s typical) and pixel-accurate.
  • It captures clicks, scrolls, hovers, form input, console errors, network requests, and (with consent) text selections — but masks passwords and configurable PII fields by default.
  • It is different from screen recording (which records pixels) and from analytics (which counts events). Session replay records the full event stream and can replay it.
  • In 2026, the workflow is changing. Instead of humans watching replays one at a time, AI agents now watch every session and write a verdict per visitor.

How session replay actually works

Most people picture session replay as "a video of the user's screen." It isn't. Recording video would be expensive (megabytes per minute), insecure (you'd capture whatever was in the browser tab, including other tabs in some implementations), and visually inflexible.

What actually happens:

  1. Initial DOM snapshot. When the page loads, the recording library (typically rrweb) captures a serialized snapshot of the entire DOM tree.
  2. Incremental mutations. As the page changes — text updates, elements added/removed, classes toggled — the library records each mutation as a small JSON event with a timestamp.
  3. User inputs. Mouse moves are captured at ~50 Hz, clicks and key presses immediately, scroll positions on change.
  4. Network and console events. Optionally, the library also records XHR/fetch responses (status codes, durations) and console messages.
  5. Compression and ship. Events are batched, compressed (often with fflate), and shipped to the vendor's servers in chunks.
  6. Playback. On replay, the player reconstructs the DOM from the initial snapshot and applies mutations frame-by-frame, animated to match the original timing. The result looks like a video but is actually a re-execution of the recorded event stream.

That last detail — that it's a re-execution, not a video — is why session replay tools can do things that a screen recording can't. You can search for "all sessions where the user clicked the pricing button," because the click is a structured event, not a pixel pattern. You can mask sensitive form fields server-side after the fact. You can hand the event stream to an AI model and ask it to summarize what happened.

What session replay captures (and what it doesn't)

| Captured by default | Captured if you opt in | Never captured | |---|---|---| | Clicks, taps, keypresses (not the keys) | Form input values | Passwords (always masked) | | Mouse movements, hover targets | Text selections | Anything in iframes from a different origin (browser security) | | Scroll positions | Network response bodies | Anything from a different tab | | Page changes / route navigation | Console messages | Camera or microphone | | DOM mutations, CSS changes | Stack traces on errors | Anything outside the browser tab | | Viewport size, device type | LocalStorage / sessionStorage diffs | Encrypted secure-context APIs |

Two myths worth killing:

  • "Session replay watches the keys you press." It doesn't, by default. It captures that a keypress happened in a field. The actual characters are not transmitted unless you turn on form-input capture explicitly. Even then, configurable masking strips passwords, credit cards, SSNs, and any field marked data-private.
  • "Session replay captures my whole screen." It only captures the events that happen inside the page that has the recording snippet installed. Other tabs, the URL bar, browser extensions — invisible.

Session replay vs. screen recording vs. analytics

| | Screen recording (Loom, OBS) | Analytics (GA4, Mixpanel) | Session replay (Hotjar, FullStory, Eyepup) | |---|---|---|---| | What's captured | Pixels of a screen | Aggregate event counts | Full event stream of one user | | File size | MB/min | KB/event | ~2 KB/s | | Replay-able | ✅ | ❌ | ✅ | | Searchable by event | ❌ | ✅ | ✅ | | Per-visitor narrative | ❌ | ❌ | ✅ | | Aggregate dashboards | ❌ | ✅ | Limited | | Privacy default | Records everything visible | No personal data captured | Masks passwords + configurable fields |

The privacy story

This is the part vendors gloss over and customers worry about correctly. Session replay can be done well privacy-wise, and can also be done badly. The questions to ask any vendor:

  1. Is text content captured by default, or masked by default? The right default is masked. You opt in to capture, not opt out.
  2. Are passwords masked at the SDK level, before they leave the browser? They should be — server-side masking is too late.
  3. Can I mark specific fields private with data-private or a CSS selector? Yes is the only acceptable answer.
  4. What about iframe contents (e.g., Stripe Elements, embedded forms)? Cross-origin iframes are unreadable to session replay by browser security — that's a feature, not a bug. Same-origin iframes need explicit handling.
  5. GDPR / CCPA: do I have a legitimate interest basis, and do I show a notice? A privacy notice is the minimum. Cookie consent is required in most jurisdictions for session replay.
  6. Where is data stored, and can I region-pin? EU customers usually need EU data residency. Verify.
  7. What's the retention period and can I configure it? 30/60/90/180-day options are standard. Anything longer needs justification.

The IAB and GDPR enforcement guidance both treat session replay as personal data. That doesn't mean you can't use it. It means you have to be explicit with users about it.

Where session replay is going in 2026

The capture layer is settled. rrweb has won as the open-source standard, and vendor-specific libraries have converged on roughly the same data model. What's changing is what happens after the capture.

For 20 years the workflow has been: filter → click a session → watch → form a hypothesis. That doesn't scale past one or two reviewers. The 2026 shift is that an AI agent watches every session and writes a per-visitor verdict — what the visitor was trying to do, what blocked them, the highest-leverage fix to ship. We covered the category — agentic web analytics — separately. Multimodal LLMs can now ingest the rendered video of a session as input, which is what unlocks per-session analysis at a price that makes "watch every session" cheaper than "watch some sessions."

If you're picking a session replay tool in 2026, the question to ask is no longer "how good are the recordings?" The recordings are commodity. The question is "what does the tool do with the recordings?"

Frequently asked questions

Does session replay record video?

No. It records DOM mutations and user inputs as structured events, then re-renders them as a video on playback. The replay looks like video but is a re-execution of the recorded event stream.

Is session replay legal?

Yes, with appropriate notice and (in most jurisdictions) consent. GDPR treats session-replay data as personal data and requires a lawful basis — typically consent or legitimate interest. CCPA requires disclosure. Always show a privacy notice.

Does session replay slow down my website?

The capture libraries (rrweb is the standard) typically add 20-50 KB to your bundle and use 1-3 KB/s of upload bandwidth during a session. Performance impact on the user is minimal if the tool is configured correctly. Watch out for vendors that add multiple competing scripts.

Are passwords captured by session replay?

No. Every credible vendor masks <input type="password"> at the SDK level before any data leaves the browser. If you find a vendor that doesn't, walk away.

What's the best free session replay tool?

Microsoft Clarity is free forever with unlimited sessions. PostHog has a generous free tier. See the Hotjar alternative post for a deeper comparison.

Does Google Analytics have session replay?

Short answer: no. GA4 is an aggregate event analytics tool. It does not record sessions. You need a separate tool for that.

What's the difference between session replay and a tool like Eyepup?

Session replay tools give you the recordings and a search/filter UI. Eyepup is agentic web analytics — it uses the same capture layer (rrweb) but adds an AI agent that watches each session and writes a per-visitor verdict, so the output is text and structured data rather than a queue of videos.

Related reads