# Identity Verification

{% hint style="info" %}
Please note that if Identity Verification is not enabled, users won't be able to see old chats.
{% endhint %}

This step is optional but **strongly recommended** before you're ready for live production chats. Identity Verification ensures bad actors can't impersonate your customers to see their issues and conversations.

This is done by adding a verification for the identity of the user sending a message through the chat widget, to prevent your customers from manually changing their email in the frontend to impersonate each other.

Pylon is not unique on this front - because a user's identity in the chat is determined client-side, any chat is susceptible to users spoofing their email.

1. **Generate an Identity Secret**<br>

   Starting from your [Chat Widgets page](https://app.usepylon.com/settings/in-app-chat), navigating to your Chat Widget's Settings tab.\
   \
   In the "Identity Verification Secret" section, click "Generate Secret".\
   \
   This will be the only time you will see this key. Save the key somewhere safe, such as a password manager. If you lose your key, you’ll need to regenerate it and replace the key later.
2. **Setup Backend**<br>

   In your backend, hash the user’s email address using HMAC-SHA256 with the secret you just generated. Note that the secret is a hex string and must be decoded to text before use.<br>

   Here are some code snippets to help:

{% tabs %}
{% tab title="JavaScript (Node.js)" %}

```javascript
const { createHmac } = require("node:crypto");

const secret = "GENERATED_IDENTITY_SECRET";
const email = "CHAT_USER_EMAIL";

const secretBytes = Buffer.from(secret, "hex");
const verificationHash = createHmac("sha256", secretBytes)
  .update(email)
  .digest("hex");
```

{% endtab %}

{% tab title="Python" %}

```python
import hmac
import hashlib

def sign_message_with_hmac(message, secret):
    secret_bytes = bytes.fromhex(secret)
    signature = hmac.new(secret_bytes, message.encode(), hashlib.sha256).hexdigest()
    return signature
```

{% endtab %}

{% tab title="Go" %}

```go
package auth

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
)

func SignMessageWithHMAC(message, secret string) (*string, error) {
	secretBytes, err := hex.DecodeString(secret)
	if err != nil {
		return nil, errors.New("unable to decode secret")
	}

	h := hmac.New(sha256.New, secretBytes)
	h.Write([]byte(message))
	signature := h.Sum(nil)

	signedMsg := hex.EncodeToString(signature)

	return &signedMsg, nil
}
```

{% endtab %}
{% endtabs %}

3. **Send this hash to the Frontend and set it on the window object:**

   ```js
   window.pylon.chat_settings.email_hash = HMAC_HASH
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.usepylon.com/pylon-docs/chat-widget/identity-verification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.