Setup Identify Verification
If you are using our SDK in your web app to identify your users, you might want to make sure users are verified. Let's see how to do that using a signature flow.
Quick Access
How does identify verification works?
Requirements of Identify Verification
How does identify verification works?
Identify verification is an additional step in the identify flow making sure that users has been identified by your own account system.
In fact, your web-app use our Javascript SDK method to identify users. This also means that the Javascript SDK method could be triggered by someone using a browser developer console. Let's illustrate this two situations.
Case 1 : John access your app
Your web app loads, John is identified in your app as john.doe@company.com
Your web app call Jimo SDK method like so
window['jimo'].push(['do', 'identify', ["john.doe@company.com"]]);John is correctly identified by your app in Jimo as john.doe@company.com
Case 2 : Dev (the spoofer) access your app
You web app loads, Dev is identified in your app as dev@malicious.com
Your web app call Jimo SDK method like so
window['jimo'].push(['do', 'identify', ["dev@malicious.com"]]);Dev is correctly identified by your app in Jimo as dev@malicious.com
Dev opens the browser developer console while on your app and call Jimo SDK method like so
window['jimo'].push(['do', 'identify', ["john.doe@company.com"]]);Dev is now identified in Jimo as john.doe@company.com
Requirements of Identify Verification
The verification feature requires you to sign the identifier you provide to the identify JavaScript SDK method, with a secret key. As this secret key must not be know to any public user, you need to keep this on your backend code only.
Therefore, only your backend will be able to sign the identifier that will be passed to the identify Javascript SDK method. The only requirement for using User Verification is the ability to sign emails from your own backend code, with the secret key Jimo generates for you in your website settings.
Setup Identify Verification
1. Get your secret key
In order for your backend to sign the identifier, you'll need a secret key.
Login to Jimo dashboard
Navigate to Installation Settings
Enable the "Identify Verification"
Copy the secret key
2. Sign identifiers
Once your have your secret key, you can use it to sign identifiers.
Quick reminder : We recommend to use unguessable identifier when setting up the identify in Jimo to increase the security of your integration. Please check our Identify users notice for more information.
To keep this notice simple, we will demonstrate the signing using an email as the identifier, which is again not recommended.
Here's how to sign the identifier from your backend using Nodejs (make sure to adapt according to the technology your are using for your backend).
Make sure you generate signatures with the HMAC-SHA256 algorithm. Any other HMAC digest is not accepted and will be refused by Jimo when provided.
Example based on the snippet provided above
3. Pass signed identifier to the identify Javascript SDK method
Once your signed identifiers is generated, make sure to pass it every time you call the Identify Javascript SDK method like so
Example (from above)
Troubleshooting
I'm getting a IDENTIFY_VERIFICATION_SIGNATURE_SIGNIN_FAILED error
Please make sure that
You have passed the signed identifiers as the 3rd parameters of the Identify Javascript SDK method
You have correctly signed the identifiers using your secret key
I'm getting a IDENTIFY_VERIFICATION_SIGNATURE_SIGNUP_FAILED error
Please make sure that
You have passed the signed identifiers as the 3rd parameters of the Identify Javascript SDK method
You have correctly signed the identifiers using your secret key
Last updated
