> ## Documentation Index
> Fetch the complete documentation index at: https://pylon-docs-training-data-api-section.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Use identity verification to secure your chat from user impersonation

# Identity Verification

For an added layer of security, verify the identity of the user sending a message through the chat widget to prevent your customers from manually changing their email in the frontend to impersonate each other.

Pylon is not unique on this front - because a user's identity in the chat is determined client-side, any chat is susceptible to users spoofing their email.

Adding identity verification is optional, but encouraged.

1. **Generate an Identity Secret**

   Generate it [here](https://app.usepylon.com/settings/in-app-chat) and save it, this will be the only time you will see this key.

   If you lose your key you’ll need to regenerate it and replace the key later.

2. **Setup Backend**

   In your backend, hash the user’s email address using HMAC-SHA256 with the secret you just generated. Note that the secret is a hex string and must be decoded to text before use.

   Here are some code snippets to help:

   <CodeGroup>
     ```javascript Javascript (Node.js) theme={null}
     const { createHmac } = require("node:crypto");

     const secret = "GENERATED_IDENTITY_SECRET";
     const email = "CHAT_USER_EMAIL";

     const secretBytes = Buffer.from(secret, "hex");
     const verificationHash = createHmac("sha256", secretBytes)
       .update(email)
       .digest("hex");
     ```

     ```python python.py theme={null}
     import hmac
     import hashlib

     def sign_message_with_hmac(message, secret):
         secret_bytes = bytes.fromhex(secret)
         signature = hmac.new(secret_bytes, message.encode(), hashlib.sha256).hexdigest()
         return signature
     ```

     ```go go.go theme={null}
     package auth

     import (
       "crypto/hmac"
       "crypto/sha256"
       "encoding/hex"
     )

     func SignMessageWithHMAC(message, secret string) (*string, error) {
       secretBytes, err := hex.DecodeString(secret)
       if err != nil {
         return nil, errors.New("unable to decode secret")
       }

       h := hmac.New(sha256.New, secretBytes)
       h.Write([]byte(message))
       signature := h.Sum(nil)

       signedMsg := hex.EncodeToString(signature)

       return &signedMsg, nil
     }
     ```
   </CodeGroup>

3. **Send this hash to the Frontend and set it on the window object:**

   ```js theme={null}
   window.pylon.chat_settings.email_hash = HMAC_HASH
   ```