Ensoras

Identity Verification

Protect customer account data by verifying user identity before granting access to sensitive information.

Overview

Identity verification ensures that only authenticated users can access sensitive account data through the chat widget. It uses an industry-standard HMAC signature to confirm that a visitor is who they claim to be.

Tier Access
Verified Full access to account tools — orders, payments, subscriptions, etc.
Unverified Knowledge search, escalate to human, and general chat

Unverified visitors can still chat and get help. They just can't access account-specific data.

Setting Up

Navigate to Channels > Live Chat Widget and scroll to the Identity Verification section.

  1. Click Generate Secret to create your widget secret
  2. Copy the secret — you'll need it for your backend integration
  3. Follow the integration steps for your platform below

The secret is generated automatically when you first enable the widget or register via the WordPress plugin.

WordPress Plugin

If you're using the Ensoras WordPress plugin, identity verification works automatically. The plugin generates and verifies identity hashes for logged-in customers. No additional setup is needed.

Custom Embed

For sites using the JavaScript embed, you need to generate the HMAC hash on your server and pass it to the widget.

Step 1: Generate the hash server-side using your widget secret:

// PHP
$hash = hash_hmac('sha256', strtolower($userEmail), $widgetSecret);

// Node.js
const crypto = require('crypto');
const hash = crypto.createHmac('sha256', widgetSecret)
  .update(email.toLowerCase())
  .digest('hex');

# Python
import hmac, hashlib
hash_value = hmac.new(
    widget_secret.encode(),
    email.lower().encode(),
    hashlib.sha256
).hexdigest()

# Ruby
hash = OpenSSL::HMAC.hexdigest('sha256', widget_secret, email.downcase)

Step 2: Pass the hash to the widget before it loads:

<script>
  window.EnsorasQueue = window.EnsorasQueue || [];
  function Ensoras() { EnsorasQueue.push(arguments); }
  Ensoras('identify', {
    email: '[email protected]',
    hash: 'server_generated_hash'
  });
</script>
<script src="https://app.ensoras.com/cdn/v1/widget/YOUR_SLUG.js" async defer></script>

Replace the email and hash with values from your backend for the current logged-in user. If the user is not logged in, omit the identify call — they'll still be able to chat.

Email Channel

Tickets created from the email channel are always verified automatically.

Managing Your Secret

  • Reveal Secret — View the current secret to copy it for your integration
  • Rotate Secret — Generate a new secret, invalidating all existing hashes. Use this if the secret is compromised. Customers will need to reload the page to re-verify

Best Practices

Generate the hash server-side — Never expose your widget secret in client-side code.

Always lowercase the email before hashing — Ensoras lowercases the email on its end. Your backend must do the same.

Handle logged-out users gracefully — Omit the identify call for anonymous visitors rather than passing an empty hash.

Rotate the secret periodically — Limits the impact if a secret is ever compromised.

Next, set up Email as another support channel.