Identity Validation

Identity verification is a way to make sure that the conversations between customers and support agents are private and secure. It helps to avoid impersonation and unauthorized access by checking the identities of both parties.

If your users can log into your app, you should enable identity verification. Neo uses an HMAC-based identity verification. HMAC is a cryptographic algorithm that uses a secret key (provided by Neo) and a unique identifier to generate a code. This code can then be used to verify the user on the front end.

Generating HMAC

To generate the HMAC, you need to get the secret key for your Neo inbox. You can find the key in Settings > Inboxes > Settings > Configuration > Identity Validation

To use HMAC for identity verification in your web widget, you need to generate an HMAC using this key. You can do this in any programming language in the backend. Most languages have built-in cryptographic functions to generate the token, or you can use popular libraries. You can find examples of common programming languages at the end of this page.

Verifying the HMAC

To verify the HMAC, you need to send the HMAC along with the identifier to your Neo server via the SDK.

Verification on the web

window.$chatwoot.setUser(<unique-identifier-key-of-the-user>, { 
name: "", // Name of the user 
email: "", // Email of the user 
identifier_hash: "" // Identifier Hash generated in the previous step 
}

// Some code

If the HMACs match, you can be sure that the person who sent the identifier is authorized to do so. All unverified users, will show up with alert mark, stating that the identity is not verified.

Verification in React Native

You can also use identity verification in React Native. You can find the documentation to set up Neo for React Native here

const App = () => {
  const user = {
    identifier: "[email protected]",
    name: "John Samuel",
    email: "[email protected]",
    identifier_hash: "<identifier-hash>",
  };

  return (
    <ChatWootWidget
      websiteToken="WEBSITE_TOKEN"
      baseUrl="https://app.chatwoot.com"
      isModalVisible={showWidget}
      user={user}
    />
  );
};

Enforcing verification

If you want to enforce verification for all users, you can do so by enabling the Enforce User Identity Validation option in the inbox settings.

If this option is enabled, any incoming message from an unverified user will be rejected.

Sample HMAC Generation for popular languagees

PHP

<?php

// Define your key and message
$key = 'your-secret-token-for-hmac';
$message = 'some-unique-identifier';

// Generate the HMAC
$identifier_hash = hash_hmac('sha256', $message, $key);
?>

Javascript (Node.js)

const crypto = require("crypto");

// Define your key and message
const key = "your-secret-token-for-hmac";
const message = "some-unique-identifier";

// Generate the HMAC
const identifierHash = crypto
  .createHmac("sha256", key)
  .update(message)
  .digest("hex");

Ruby

require 'openssl'

# Define your key and message
key = 'your-secret-token-for-hmac'
message = 'some-unique-identifier'

# Generate the HMAC
identifier_hash = OpenSSL::HMAC.hexdigest('sha256', key, message)

Elixir

# Define your key and message
key = 'your-secret-token-for-hmac'
message = 'some-unique-identifier'

# Generate the HMAC
signature = :crypto.hmac(:sha256, key, message)

identifier_hash = Base.encode16(signature, case: :lower)

Golang

package main

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "fmt"
)

func main() {
    // Define your key and message
    key := []byte("your-secret-token-for-hmac")
    message := []byte("some-unique-identifier")

    // Generate the HMAC
    hash := hmac.New(sha256.New, key)
    hash.Write(message)
    identifierHash := hex.EncodeToString(hash.Sum(nil))

    // Print the HMAC
    fmt.Println(identifierHash)
}

Python

import hashlib
import hmac

# Define your key and message
secret = bytes('your-secret-token-for-hmac', 'utf-8')
message = bytes('some-unique-identifier', 'utf-8')

# Generate the HMAC
hash = hmac.new(secret, message, hashlib.sha256)
identifier_hash = hash.hexdigest()

PreviousSDK Setup NextDark Mode

Last updated 2 years ago