Identity Verification

We strongly encourage you to turn on Identity Verification in order to protect your user's data. With Identity Verification, your backend sends a digital signature of the current user's id to TalkJS. This signature cannot normally be forged, so it proves that the current user identified to TalkJS is really the user logged in to your platform.

How does it work?

It works by generating a hex-encoded HMAC-SHA256 signature of the user's id. This is a message authentication scheme supported by all popular programming languages. If Identity Verification is enabled, TalkJS will block any requests without a valid signature.

One line of code

First, set the signature property in the Talk.Session object to the HMAC-SHA256 hash of the current user id, signed with your TalkJS secret key. This sounds complicated, but usually it's a oneliner you can just copy and paste.

You can find the secret key in the dashboard. Important: Your secret key should never leak or appear in your frontend code and should be kept private.

For example, with PHP you'd use something like this:

<?php $user = $database.getUser(12345); ?>
var me = new Talk.User(
<?php echo json_encode(array(
"id" => strval($user->id),
"name" => $user->name,
"email" => $user->email,
"photoUrl" => $user->photoUrl,
"welcomeMessage" => "Hey, let's have a chat!"
)); ?>
window.talkSession = new Talk.Session({
appId: "YOUR_APP_ID",
me: me,
// this is the line that it's all about:
signature: "<?= strtoupper(hash_hmac('sha256', strval($user->id), 'YOUR_SECRET_KEY')) ?>"

(remember to replace YOUR_APP_ID and YOUR_SECRET_KEY with the data you can find in the dashboard)

Test it, and if TalkJS loads without errors, you can enable Identity Verification in the dashboard, so that any request without a valid signature will be blocked.

Our GitHub examples repository has code samples that demonstrate how to create a signature in multiple languages.

You can also check out our tutorial on how to ban a user from all chats that uses Identity Verification together with disabling browser synchronization to ensure integrity of your user's data.

If you get stuck, get in touch with us and we'll help.