# Setup Identify Verification

***

### Quick Access

[How does identify verification works?](#how-does-identify-verification-works)

[Requirements of Identify Verification](#requirements-of-identify-verification)

[Setup Identify Verification](#setup-identify-verification)

1. [Get your secret key](#id-1.-get-your-secret-key)
2. [Sign identifiers](#id-2.-sign-identifiers)
3. [Pass signed identifier to the identify JavaScript SDK method](#id-3.-pass-signed-identifier-to-the-identify-javascript-sdk-method)

[Troubleshooting](#troubleshooting)

* [I'm getting an IDENTIFY\_VERIFICATION\_SIGNATURE\_SIGNIN\_FAILED error](#im-getting-a-identify_verification_signature_signin_failed-error)
* [I'm getting an IDENTIFY\_VERIFICATION\_SIGNATURE\_SIGNUP\_FAILED error](#im-getting-a-identify_verification_signature_signup_failed-error)

***

## How does identify verification works?

Identify verification is an additional step in the identify flow making sure that users has been identified by your own account system.

In fact, your web-app use our Javascript SDK method to identify users. This also means that the Javascript SDK method could be triggered by someone using a browser developer console. Let's illustrate this two situations.

#### Case 1 : John access your app

* Your web app loads, John is identified in your app as `id-c5c178f6`
* Your web app call Jimo SDK method like so `window['jimo'].push(['do', 'identify', ["id-c5c178f6"]]);`
* John is correctly identified by your app in Jimo as `id-c5c178f6`

#### Case 2 : Dev (the spoofer) access your app

* You web app loads, Dev is identified in your app as `id-0f2cf8f1`
* Your web app call Jimo SDK method like so `window['jimo'].push(['do', 'identify', ["id-0f2cf8f1"]]);`
* Dev is correctly identified by your app in Jimo as `id-0f2cf8f1`
* Dev opens the browser developer console while on your app and call Jimo SDK method like so `window['jimo'].push(['do', 'identify', ["id-c5c178f6"]]);`
* Dev is now identified in Jimo as `id-c5c178f6`

## Requirements of Identify Verification

The verification feature requires you to sign the identifier you provide to the identify JavaScript SDK method, with a secret key. As this secret key must not be know to any public user, you need to keep this on your backend code only.

Therefore, only your backend will be able to sign the identifier that will be passed to the identify Javascript SDK method. **The only requirement for using User Verification is the ability to sign the id your provide from your own backend code, with the secret key Jimo generates for you in your website settings.**

## Setup Identify Verification

### 1. Get your secret key

In order for your backend to sign the identifier, you'll need a secret key.

* Login to Jimo dashboard
* Navigate to Installation Settings
* Enable the "Identify Verification"
* Copy the secret key

<figure><img src="https://2283895109-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQ1pi3sC2zIV5o9Oa46Aq%2Fuploads%2FakAPQ5YNnG5Vlr1YVoQg%2Fimage.png?alt=media&#x26;token=71c2350a-77e7-46e0-8dce-eeaf5dcd3026" alt=""><figcaption><p>Identify Verification section in Installation Settings</p></figcaption></figure>

### 2. Sign identifiers

Once your have your secret key, you can use it to sign identifiers.

{% hint style="info" %}
Quick reminder : We recommend to use unguessable identifier when setting up the identify in Jimo to increase the security of your integration. Please check [our Identify users notice](https://help.usejimo.com/docs/for-developers/for-developers/sdk-guides/identify-users) for more information.&#x20;
{% endhint %}

Here's how to sign the identifier from your backend using Nodejs (make sure to adapt according to the technology your are using for your backend).

```typescript
const crypto = require("crypto");

// Put you secret key here (keep it private!)
// Notice: the one below is an example, yours will be different
const secretKey = "a6c93e058a4ab236449bd321002352483a85138489d2ee4fb2eaa4cfd3ab2ba8";
const now = Math.floor(Date.now() / 1000);

// This method signs an id, using your global 'secretKey'
function signIdentifier(id) {
  return [crypto.createHmac("sha256", secretKey).update(`${id}-${now}`).digest("hex"), now].join('-');
}

// Sign your identifier
// Notice: the id below is an example, yours will be sourced from the authenticated user
const signedIdentifier = signIdentifier("id-c5c178f6");

console.log("Your signed identifier is:", signedIdentifier);
```

{% hint style="warning" %}
Make sure you generate signatures with the `HMAC-SHA256` algorithm. Any other HMAC digest is not accepted and will be refused by Jimo when provided.
{% endhint %}

**Example based on the snippet provided above**

```typescript
const secretKey = "a6c93e058a4ab236449bd321002352483a85138489d2ee4fb2eaa4cfd3ab2ba8"

signIdentifier("id-c5c178f6") // 6a403a1fcfcc866b8917e6e208a553004c54c73846bc4f3f686757e2a5ad588e-1741761604
```

### 3. Pass signed identifier to the identify Javascript SDK method

Once your signed identifiers is generated, make sure to pass it every time you call the Identify Javascript SDK method like so&#x20;

```javascript
window['jimo'].push(['do', 'identify', [identifier, null, signedIdentifier]]);
```

**Example (from above)**

```javascript
window['jimo'].push(['do', 'identify', ["john.doe@company.com", null, "6a403a1fcfcc866b8917e6e208a553004c54c73846bc4f3f686757e2a5ad588e-1741761604"]]);
```

## Troubleshooting

### I'm getting a IDENTIFY\_VERIFICATION\_SIGNATURE\_SIGNIN\_FAILED error

Please make sure that&#x20;

* You have passed the signed identifiers as the 3rd parameters of the Identify Javascript SDK method
* You have correctly signed the identifiers using your secret key

### I'm getting a IDENTIFY\_VERIFICATION\_SIGNATURE\_SIGNUP\_FAILED error

Please make sure that&#x20;

* You have passed the signed identifiers as the 3rd parameters of the Identify Javascript SDK method
* You have correctly signed the identifiers using your secret key