Secure chat identification prevents a visitor from claiming another customer's email address and opening their support conversations. Generate an HMAC on your server, then pass the normalized email and hash to the Userorbit widget.
Get the authentication secret
- Go to Settings > Channels > Email.
- Under Chat identification, copy the authentication secret.
- Store it only on your server. Never expose it in browser code.
Generate and pass the hash
- Trim and lowercase the customer's email.
- On your server, calculate an HMAC SHA-256 of that email using the secret.
- Pass
emailandemailHashat the root ofuserorbit.init.
Require verification for unknown visitors
Set requireAuthentication: true when unknown visitors should verify their email before viewing support conversations.
Rotate the secret carefully
Regenerating the secret immediately invalidates every previously generated hash. Update your server first so newly identified users receive hashes from the new secret.
Troubleshooting
- Normalize the email exactly the same way on the server and in the widget.
- If every user becomes unauthenticated after rotation, redeploy the server-side secret.