# Identity Verification

{% hint style="info" %}
Please note that if Identity Verification is not enabled, users won't be able to see old chats.
{% endhint %}

This step is optional but **strongly recommended** before you're ready for live production chats. Identity Verification ensures bad actors can't impersonate your customers to see their issues and conversations.

This is done by adding a verification for the identity of the user sending a message through the chat widget, to prevent your customers from manually changing their email in the frontend to impersonate each other.

Pylon is not unique on this front - because a user's identity in the chat is determined client-side, any chat is susceptible to users spoofing their email.

1. **Generate an Identity Secret**<br>

   Starting from your [Chat Widgets page](https://app.usepylon.com/settings/in-app-chat), navigating to your Chat Widget's Settings tab.\
   \
   In the "Identity Verification Secret" section, click "Generate Secret".\
   \
   This will be the only time you will see this key. Save the key somewhere safe, such as a password manager. If you lose your key, you’ll need to regenerate it and replace the key later.
2. **Setup Backend**<br>

   In your backend, hash the user’s email address using HMAC-SHA256 with the secret you just generated. Note that the secret is a hex string and must be decoded to text before use.<br>

   Here are some code snippets to help:

{% tabs %}
{% tab title="JavaScript (Node.js)" %}

```javascript
const { createHmac } = require("node:crypto");

const secret = "GENERATED_IDENTITY_SECRET";
const email = "CHAT_USER_EMAIL";

const secretBytes = Buffer.from(secret, "hex");
const verificationHash = createHmac("sha256", secretBytes)
  .update(email)
  .digest("hex");
```

{% endtab %}

{% tab title="Python" %}

```python
import hmac
import hashlib

def sign_message_with_hmac(message, secret):
    secret_bytes = bytes.fromhex(secret)
    signature = hmac.new(secret_bytes, message.encode(), hashlib.sha256).hexdigest()
    return signature
```

{% endtab %}

{% tab title="Go" %}

```go
package auth

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
)

func SignMessageWithHMAC(message, secret string) (*string, error) {
	secretBytes, err := hex.DecodeString(secret)
	if err != nil {
		return nil, errors.New("unable to decode secret")
	}

	h := hmac.New(sha256.New, secretBytes)
	h.Write([]byte(message))
	signature := h.Sum(nil)

	signedMsg := hex.EncodeToString(signature)

	return &signedMsg, nil
}
```

{% endtab %}
{% endtabs %}

3. **Send this hash to the Frontend and set it on the window object:**

   ```js
   window.pylon.chat_settings.email_hash = HMAC_HASH
   ```