Identity Verification

By default, the widget creates anonymous sessions. Identity verification lets you link conversations to your authenticated users so they see their history across devices and sessions.

How It Works

  1. Your server computes an HMAC-SHA256 hash of the user's ID using your embed secret key
  2. Your frontend passes the user ID and hash to the widget via identify()
  3. The Navigic backend verifies the hash matches, confirming the identity isn't spoofed

This is the same pattern used by Intercom, Crisp, and other embedded chat products.

Step 1: Get Your Secret Key

Go to Settings > Embed in your dashboard. Click on your embed key to expand it. Your secret key is shown once — copy it and store it as an environment variable on your server.

EMBED_SECRET_KEY=sk_wk_YOUR_SECRET_KEY

Never expose the secret key in client-side code.

Step 2: Server-Side HMAC

Compute the HMAC on your server and return it to the browser.

Node.js

import crypto from "crypto";
 
const secretKey = process.env.EMBED_SECRET_KEY;
 
function computeUserHash(userId) {
  return crypto
    .createHmac("sha256", secretKey)
    .update(userId)
    .digest("hex");
}
 
// In your API route or server action:
// Return { userId, userHash } to the frontend

Python

import hmac
import hashlib
import os
 
secret_key = os.environ["EMBED_SECRET_KEY"]
 
def compute_user_hash(user_id: str) -> str:
    return hmac.new(
        secret_key.encode(),
        user_id.encode(),
        hashlib.sha256,
    ).hexdigest()

Ruby

require "openssl"
 
secret_key = ENV["EMBED_SECRET_KEY"]
 
def compute_user_hash(user_id)
  OpenSSL::HMAC.hexdigest("sha256", secret_key, user_id)
end

Step 3: Client-Side Identify

After your user signs in, call identify() with the user ID and HMAC hash from your server.

// Fetch the HMAC from your server
const { userId, userHash } = await fetch("/api/embed-identity", {
  method: "POST",
}).then((res) => res.json());
 
// Identify the user in the widget
NavigicWidget.identify(
  userId,
  {
    email: user.email,   // optional traits
    name: user.name,
  },
  { userHash },
);

Step 4: Reset on Logout

When your user signs out, call reset() to clear the identity and revert to an anonymous session.

NavigicWidget.reset();

Using Script Tag Attributes

You can also pass identity via data attributes if the user is known at page load:

<script
  src="https://releases.navigic.ai/embed/embed.js?v=7"
  data-api-key="pk_wk_YOUR_KEY"
  data-user-id="user_123"
  data-user-hash="HMAC_HEX_HERE"
  async
></script>

This is useful for server-rendered pages where the identity is available in the HTML.

Security Notes

  • The secret key must never appear in client-side code, browser storage, or logs
  • The HMAC must be computed server-side and sent to the browser
  • Without identity verification, anyone could call identify() with a fake user ID
  • The backend rejects requests where the HMAC doesn't match the user ID