Prevent impersonation and make your Featurebase setup more secure.
Written By Robi Rohumaa
Last updated 8 days ago
👨💻 Implementing Identity Verification typically involves making technical adjustments to your Featurebase setup and usually requires access to server-side code.
Set up Identity Verification
Start by finding your identity verification secret from Settings → Identity Verification
Generate an HMAC code on your server
First, decide how you'd like to uniquely identify your users — by User ID or Email. You’ll then generate HMAC from the identifier signed with your secret.
Exampleimport crypto from "crypto";
// Your identity verification secret
const secretKey = "iv_your-secret-key";
// Use email or user identifier
const userIdentifier = currentUser.email;
// Generate HMAC hash
const userHash = crypto
.createHmac('sha256', secretKey)
.update(userIdentifier)
.digest('hex');
NB! Keep your secret secure! Never store it in your repository, client-side code, or anywhere a third party could access it.
Update your code to send the HMAC
Find all places in your codebase where you’ve used the Featurebase("identify", {...})
SDK call and add the user hash there like this:
Featurebase("identify", {
organization: "yourorg",
"email": "user@example.com",
...otherFields,
userHash: "user-hash-for-this-specific-user"
})
Testing if a user hash is valid
To test if a user hash is valid:
Enter the User ID/Email into the Test Your Identity Verification Hash (HMAC) section
Compare if the hash your server generates matches the one displayed in the Featurebase dashboard.
Enforcing Identity Verification
If you’ve successfully updated your code to include the userHash
field and encounter no errors, you can now enforce Identity Verification by toggling the checkbox in Settings → Identity Verification
Once enforced, all requests without a valid user hash will be rejected, ensuring that user impersonation is impossible.
Turning off Identity Verification
You can always disable Identity Verification by unchecking the Enforce Identity Verification
checkbox in Settings → Identity Verification
Keep in mind that disabling this will open you up for user impersonation attacks.