Identity HMAC Verification (SHA256)

Updated 3 days ago by Michael Alon

Enabling identity verification means Aptrinsic will use HMAC id so we can have a secured way to validate that a logged in user doesn't try to impersonate as another user - this feature should be set via account product settings. The purpose of identity verification is to verify that your users are who they claim to be. It works by using a server side generated HMAC (hash based message authentication code), using SHA256, on either your user’s email or user_id. Once identity verification is enabled, We will not accept any requests for a logged-in user without a valid HMAC.

Enabling Identity verification under account settings:

One your server side has implemented identity verification using the hash key you can enable it under account settings.

Passing the user hash in the identify call:

//User Fields
"id": "unique-user-id", // Required for logged in app users
"email": "",
"firstName": "John",
"lastName": "Smith",
"signUpDate": 1522697426479, //unix time in ms
"userHash": "" // optional transient for HMAC identification
//Account Fields
"id":"IBM", //Required
"name":"International Business Machine"

How did we do?