Secure your installation (required by default)

Block unauthorized individuals from impersonating others and accessing potentially private information.

Written By Bruno from Featurebase

Last updated 2 months ago

Our security features block unauthorized individuals from impersonating others and accessing potentially private information (i.e., support chats, author-only posts & other details you’ve sent about the user).

Do I need this?

In short, you should almost always set up our security features when installing Featurebase.

Without it, a bad actor could gain unauthorised access to the data in your workspace through impersonation of your real users.

Setting up security features

Below are guides for securing different parts of Featurebase. Pick the one you are currently interested in setting up:

Securing the Featurebase Messenger
Securing SDK identification and all other Featurebase widgets

Securing the Featurebase Messenger

Securing Messenger with JWTs

To secure the Messenger with JWTs, please follow the Creating and signing a JWT for Single Sign-On guide to generate a JWT.

After generating a token, make sure to pass the generated token that includes all information about the user into the Messenger boot function:

Featurebase("boot", {
  appId: "YOUR_APP_ID_HERE",
  featurebaseJwt: generatedValueHere,       // Required - JWT generated on your server
  nonSensitiveAttr1: "non-sensitive-value", // Optional
  nonSensitiveAttr2: "non-sensitive-value", // Optional
  nonSensitiveAttr3: "non-sensitive-value", // Optional
});

For non-sensitive attributes, include them directly in the code snippet outside of the JWT payload.

Final step: Double-check attribute security

When sending data securely in your JWT, you should ensure that you disable insecure updates for those attributes by editing each attribute’s settings. Not enforcing this will leave your users vulnerable to insecure updates.

Click here to configure attributes →

Legacy: Securing Messenger with identity verification

While JWT is the recommended method, we continue to support Identity Verification with HMAC for backward compatibility.

Check out our migration guide to switch from HMAC to JWT.

Securing SDK identification and all other Featurebase widgets (Feedback, changelog, surveys, web portal)

For SDK-based widgets (Feedback, changelog, surveys) and the web portal, authentication is handled via the Featurebase SDK's identify function for auto-authentication and data sync, or JWT in widget initializations.

To secure these methods, please follow the guide below:

Securing with JWTs

First, please follow the Creating and signing a JWT for Single Sign-On guide to generate a JWT containing all the user data you want to be secured.

Now, when using the SDK identify functionality, make sure to replace the user information in the function with a single JWT instead:

Featurebase("identify", {
  organization: "YOUR_ORG_SLUG_HERE",      // Required
  featurebaseJwt: "generated-jwt-here",          // Required for secure auth - JWT generated on your server
  nonSensitiveAttr1: "non-sensitive-value", // Optional
  nonSensitiveAttr2: "non-sensitive-value", // Optional
  nonSensitiveAttr3: "non-sensitive-value", // Optional
}, (err) => {
  if (err) {
    console.error(err);
  } else {
    console.log("Data sent successfully!");
  }
});

For non-sensitive attributes, include them directly in the code snippet outside of the JWT payload.

The SDK automatically propagates this auth to all widgets (except Messenger, with no extra setup needed).

Final step: Double-check attribute security

When sending data securely in your JWT, you should ensure that you disable insecure updates for those attributes by editing each attribute's settings. Not enforcing this will leave your users vulnerable to insecure updates.

Click here to configure attributes →

Extra: Authenticate from widgets without the “identify” function

If you are not looking to use SDK identification, you can also pass the generated JWT directly to a widget initialization function (e.g., Feedback widget), pass the JWT:

Featurebase("initialize_feedback_widget", {
  organization: "yourorg",
  featurebaseJwt: "generated-jwt-here",  // Secure token
  // Other params...
});

Legacy: Secure with Identity Verification (HMAC)

While JWT is the recommended method, we continue to support Identity Verification with HMAC for backward compatibility.

For that, please follow this guide or migrate to the new preferred JWT-based approach.

What if I want to disable it?

Disabling secure login is ok for local testing, but it should never be used for production when using Messenger with user data.

You can disable it from here.

⚠️ Using it in production with user data will result in:

Security Vulnerability: Anyone will be able to impersonate any user by simply providing their email or ID without verification
Account takeover risk: Malicious actors can access other users' accounts, conversations, comments, and any other private data
Data integrity compromised: All user-submitted data becomes untrustworthy as identity cannot be verified
Compliance issues: May violate security requirements and user trust agreements

Troubleshooting

If you are having unexpected results with this process, here is a list of things that can help.

Make sure you have set up the attributes you are sending

Our system does not save an attribute for the user if you have not first configured it from the settings.

For that, please follow this guide.