search
Knowledge BaseWebsiteChangelogBook a DemoLogin

id-badgeIdentity Verification

Use identity verification to secure your chat from user impersonation

circle-info

Please note that if Identity Verification is not enabled, users won't be able to see old chats.

This step is optional but strongly recommended before you're ready for live production chats. Identity Verification ensures bad actors can't impersonate your customers to see their issues and conversations.

This is done by adding a verification for the identity of the user sending a message through the chat widget, to prevent your customers from manually changing their email in the frontend to impersonate each other.

Pylon is not unique on this front - because a user's identity in the chat is determined client-side, any chat is susceptible to users spoofing their email.

  1. Generate an Identity Secret

    Starting from your Chat Widgets pagearrow-up-right, navigating to your Chat Widget's Settings tab. In the "Identity Verification Secret" section, click "Generate Secret". This will be the only time you will see this key. Save the key somewhere safe, such as a password manager. If you lose your key, you’ll need to regenerate it and replace the key later.

  2. Setup Backend

    In your backend, hash the user’s email address using HMAC-SHA256 with the secret you just generated. Note that the secret is a hex string and must be decoded to text before use.

    Here are some code snippets to help:

const { createHmac } = require("node:crypto");

const secret = "GENERATED_IDENTITY_SECRET";
const email = "CHAT_USER_EMAIL";

const secretBytes = Buffer.from(secret, "hex");
const verificationHash = createHmac("sha256", secretBytes)
  .update(email)
  .digest("hex");

  1. Send this hash to the Frontend and set it on the window object:

    window.pylon.chat_settings.email_hash = HMAC_HASH
PreviousChat SetupNextJavaScript API

Last updated

Was this helpful?