title: Identity Verification description: Link widget conversations to your users with HMAC identity verification. order: 5
Identity Verification
By default, the widget creates anonymous sessions. Identity verification lets you link conversations to your authenticated users so they see their history across devices and sessions.
How It Works
- Your server computes an HMAC-SHA256 hash of the user's ID using your embed secret key
- Your frontend passes the user ID and hash to the widget via
identify() - The Navigic backend verifies the hash matches, confirming the identity isn't spoofed
This is the same pattern used by Intercom, Crisp, and other embedded chat products.
Step 1: Get Your Secret Key
Go to Settings > Embed in your dashboard. Click on your embed key to expand it. Your secret key is shown once — copy it and store it as an environment variable on your server.
EMBED_SECRET_KEY=sk_wk_YOUR_SECRET_KEYNever expose the secret key in client-side code.
Step 2: Server-Side HMAC
Compute the HMAC on your server and return it to the browser.
Node.js
import crypto from "crypto";
const secretKey = process.env.EMBED_SECRET_KEY;
function computeUserHash(userId) {
return crypto
.createHmac("sha256", secretKey)
.update(userId)
.digest("hex");
}
// In your API route or server action:
// Return { userId, userHash } to the frontendPython
import hmac
import hashlib
import os
secret_key = os.environ["EMBED_SECRET_KEY"]
def compute_user_hash(user_id: str) -> str:
return hmac.new(
secret_key.encode(),
user_id.encode(),
hashlib.sha256,
).hexdigest()Ruby
require "openssl"
secret_key = ENV["EMBED_SECRET_KEY"]
def compute_user_hash(user_id)
OpenSSL::HMAC.hexdigest("sha256", secret_key, user_id)
endStep 3: Client-Side Identify
After your user signs in, call identify() with the user ID and HMAC hash from your server.
// Fetch the HMAC from your server
const { userId, userHash } = await fetch("/api/embed-identity", {
method: "POST",
}).then((res) => res.json());
// Identify the user in the widget
NavigicWidget.identify(
userId,
{
email: user.email, // optional traits
name: user.name,
},
{ userHash },
);Step 4: Reset on Logout
When your user signs out, call reset() to clear the identity and revert to an anonymous session.
NavigicWidget.reset();Using Script Tag Attributes
You can also pass identity via data attributes if the user is known at page load:
<script
src="https://releases.navigic.ai/embed/embed.js?v=7"
data-api-key="pk_wk_YOUR_KEY"
data-user-id="user_123"
data-user-hash="HMAC_HEX_HERE"
async
></script>This is useful for server-rendered pages where the identity is available in the HTML.
Security Notes
- The secret key must never appear in client-side code, browser storage, or logs
- The HMAC must be computed server-side and sent to the browser
- Without identity verification, anyone could call
identify()with a fake user ID - The backend rejects requests where the HMAC doesn't match the user ID