Identity verification

To protect your user's data, you can turn on identity verification. With identity verification, your backend sends a digital signature (a hex-encoded HMAC-SHA256 signature) of the current user's id to TalkJS. This signature can't normally be forged, so it proves that the current user identified to TalkJS is really the user logged in to your platform.

If identity verification is enabled, TalkJS blocks any requests without a valid signature.

Enable identity verification

First, set the signature property in the Talk.Session object to the HMAC-SHA256 hash of the current user id, signed with your TalkJS secret key. Often it's a one-liner you can copy and paste.

For example, with PHP you can use something like the following:

1<?php $user = $database.getUser(12345); ?>
2var me = new Talk.User(
3 <?php echo json_encode(array(
4 "id" => strval($user->id),
5 "name" => $user->name,
6 "email" => $user->email,
7 "photoUrl" => $user->photoUrl,
8 "welcomeMessage" => "Hey, let's have a chat!"
9 )); ?>
12window.talkSession = new Talk.Session({
13 appId: "<APP_ID>",
14 me: me,
16 // this is the line that it's all about:
17 signature: "<?= strtoupper(hash_hmac('sha256', strval($user->id), '<SECRET_KEY>')) ?>"

Replace <APP_ID> and <SECRET_KEY> with the values you can find on the Settings page of your dashboard.

Important: Keep your secret key private and never include it in your frontend code.

Test the solution. If TalkJS loads without errors, you can enable identity verification in your dashboard, so that any request without a valid signature gets blocked.

Resources and support

For code samples that demonstrate how to create a signature in multiple languages, see the TalkJS examples GitHub repository.

Check out the tutorial on how to ban a user from all chats for more information. The tutorial uses identity verification together with disabling browser synchronization to ensure the integrity of your user's data.

If you get stuck, get in touch and one of the TalkJS developers will be happy to help.