Identity Verification

It works by generating a hex-encoded HMAC-SHA256 signature of the user's id. This is a message authentication scheme supported by all popular programming languages. If Identity Verification is enabled, TalkJS will block any requests without a valid signature.

First, set the signature property in the Talk.Session object to the HMAC-SHA256 hash of the current user id, signed with your TalkJS secret key. This sounds complicated, but usually it's a oneliner you can just copy and paste.

You can find the secret key in the dashboard. Important: Your secret key should never leak or appear in your frontend code and should be kept private.

For example, with PHP you'd use something like this:

Copy
<?php $user = $database.getUser(12345); ?>
var me = new Talk.User(
    <?php echo json_encode(array(
        "id" => strval($user->id),
        "name" => $user->name,
        "email" =>  $user->email,
        "photoUrl" => $user->photoUrl,
        "welcomeMessage" => "Hey, let's have a chat!"
    )); ?>
);

window.talkSession = new Talk.Session({
    appId: "YOUR_APP_ID",
    me: me,

    // this is the line that it's all about:
    signature: "<?= strtoupper(hash_hmac('sha256', strval($user->id), 'YOUR_SECRET_KEY')) ?>"
});

(remember to replace YOUR_APP_ID and YOUR_SECRET_KEY with the data you can find in the dashboard)

Test it, and if TalkJS loads without errors, you can enable Identity Verification in the dashboard, so that any request without a valid signature will be blocked.

Our GitHub examples repository has code samples that demonstrate how to create a signature in multiple languages.

You can also check out our tutorial on how to ban a user from all chats that uses Identity Verification together with disabling browser synchronization to ensure integrity of your user's data.

If you get stuck, get in touch with us and we'll help.