Secure chat identification prevents a visitor from claiming another customer's email address and opening their support conversations. Generate an HMAC on your server, then pass the normalized email and hash to the Userorbit widget.

Get the authentication secret

  1. Go to Settings > Channels > Email.
  2. Under Chat identification, copy the authentication secret.
  3. Store it only on your server. Never expose it in browser code.

Generate and pass the hash

  1. Trim and lowercase the customer's email.
  2. On your server, calculate an HMAC SHA-256 of that email using the secret.
  3. Pass email and emailHash at the root of userorbit.init.

Require verification for unknown visitors

Set requireAuthentication: true when unknown visitors should verify their email before viewing support conversations.

Rotate the secret carefully

Regenerating the secret immediately invalidates every previously generated hash. Update your server first so newly identified users receive hashes from the new secret.

Troubleshooting

  • Normalize the email exactly the same way on the server and in the widget.
  • If every user becomes unauthenticated after rotation, redeploy the server-side secret.

Was this helpful?