Identity Verification

Secure your widget and prevent impersonation using HMAC-SHA256 signatures.

How it Works

When a logged-in user accesses your site, your backend should generate a unique signature using your Identity Secret. The widget sends this signature to Sela, which verifies it before granting access to the user's conversation history.

Generating the HMAC

Generate an HMAC-SHA256 hex digest on your server using this exact message format:email|timestamp|orgId|nonce.

Node.js Example

backend.js
const crypto = require('crypto');

const secret = 'YOUR_IDENTITY_SECRET_FROM_DASHBOARD';
const userEmail = 'user@example.com';
const orgId = 'org_123';
const timestamp = Date.now();
const nonce = crypto.randomUUID();

const hash = crypto
  .createHmac('sha256', secret)
  .update(`${userEmail}|${timestamp}|${orgId}|${nonce}`)
  .digest('hex');
  
// Send email, timestamp, nonce, and hash to your frontend...

Python Example

backend.py
import hmac
import hashlib

secret = b'YOUR_IDENTITY_SECRET'
email = 'user@example.com'
org_id = 'org_123'
timestamp = '1712345678901'
nonce = '550e8400-e29b-41d4-a716-446655440000'

message = f"{email}|{timestamp}|{org_id}|{nonce}"
hash = hmac.new(secret, message.encode(), hashlib.sha256).hexdigest()
# f5d6...

Client-Side Implementation

Pass the signed identity to the hosted widget as URL parameters.

text
https://widget.usesela.com/?orgId=org_123&email=user@example.com&name=Alice&timestamp=1712345678901&nonce=550e8400-e29b-41d4-a716-446655440000&user_hash=GENERATED_HMAC_HASH

React Native WebView Example

SupportWebView.tsx
import { WebView } from 'react-native-webview';

const params = new URLSearchParams({
  orgId: 'org_123',
  email: user.email,
  name: user.name,
  avatarUrl: user.avatarUrl ?? '',
  theme: colorScheme,
  support_mode: 'authenticated',
  support_locale: locale,
  initialScreen: 'chat',
  timestamp: String(timestamp),
  nonce,
  user_hash: hash,
});

<WebView source={{ uri: `https://widget.usesela.com/?${params.toString()}` }} />;