Set up Identity Verification

Prevent impersonation and make your Featurebase setup more secure.

RR

Written By Robi Rohumaa

Last updated 8 days ago

👨‍💻 Implementing Identity Verification typically involves making technical adjustments to your Featurebase setup and usually requires access to server-side code.


Set up Identity Verification

Start by finding your identity verification secret from Settings → Identity Verification

Generate an HMAC code on your server

First, decide how you'd like to uniquely identify your users — by User ID or Email. You’ll then generate HMAC from the identifier signed with your secret.

Example
import crypto from "crypto"; // Your identity verification secret const secretKey = "iv_your-secret-key"; // Use email or user identifier const userIdentifier = currentUser.email; // Generate HMAC hash const userHash = crypto .createHmac('sha256', secretKey) .update(userIdentifier) .digest('hex');

NB! Keep your secret secure! Never store it in your repository, client-side code, or anywhere a third party could access it.


Update your code to send the HMAC

Find all places in your codebase where you’ve used the Featurebase("identify", {...}) SDK call and add the user hash there like this:

Featurebase("identify", {
  organization: "yourorg",
  "email": "user@example.com",
  ...otherFields,
  userHash: "user-hash-for-this-specific-user"
})

Testing if a user hash is valid

To test if a user hash is valid:

  1. Go to Settings → Identity Verification

  2. Enter the User ID/Email into the Test Your Identity Verification Hash (HMAC) section

  3. Compare if the hash your server generates matches the one displayed in the Featurebase dashboard.


Enforcing Identity Verification

If you’ve successfully updated your code to include the userHash field and encounter no errors, you can now enforce Identity Verification by toggling the checkbox in Settings → Identity Verification

Once enforced, all requests without a valid user hash will be rejected, ensuring that user impersonation is impossible.


Turning off Identity Verification

You can always disable Identity Verification by unchecking the Enforce Identity Verification checkbox in Settings → Identity Verification

Keep in mind that disabling this will open you up for user impersonation attacks.


FAQ