We strongly encourage you to turn on Identity Verification in order to protect your user's data. With Identity Verification, your backend sends a digital signature of the current user's id to TalkJS. This signature cannot normally be forged, so it proves that the current user identified to TalkJS is really the user logged in to your platform.

How does it work?

It works by generating a hex-encoded HMAC-SHA256 signature of the user's id. This is a message authentication scheme supported by all popular programming languages. If the Identity Verification is enabled, TalkJS will block any requests without a valid signature.

One line of code

First, set the signature property in the Talk.Session object to the HMAC-SHA256 hash of the current user id, signed with your TalkJS secret key. This sounds complicated, but usually it's a oneliner you can just copy and paste.

You can find the secret key in the dashboard. Important: Your secret key should never leak or appear in your frontend code and should be kept private.

For example, with PHP you'd use something like this:

<?php $user = $database.getUser(12345); ?>
var me = new Talk.User(
    <?php echo json_encode(array(
        "id" => strval($user->id),
        "name" => $user->name,
        "email" =>  $user->email,
        "photoUrl" => $user->photoUrl,
        "welcomeMessage" => "Hey, let's have a chat!"
    )); ?>
);

window.talkSession = new Talk.Session({
    appId: "YOUR_APP_ID",
    me: me,

    // this is the line that it's all about:
    signature: "<?= hash_hmac('sha256', strval($user->id), 'SECRET') ?>"
});

(remember to replace YOUR_APP_ID and YOUR_SECRET_KEY with the data you can find in the dashboard at https://talkjs.com/dashboard/login. Better yet, log into the dashboard and navigate to the docs there and we'll have filled them out for you)

Test it, and if TalkJS loads without errors, you can enable Identity Verification in the dashboard, so that any request without a valid signature will be blocked.

Our Github examples repository has code samples that demonstrate how to create a signature in multiple languages.

If you get stuck, get in touch with us and we'll help.