Version: 0.1.0

Identity Signing (JS)

The backend must generate a userHash by signing the user's External ID with the application's Secret Key. This page provides JavaScript implementation examples.

Specification

Parameter	Value
Algorithm	HMAC-SHA256
Key	`secretKey` (App Secret)
Message	`externalUserId` (User ID)
Output format	Hexadecimal

Node.js

const crypto = require('crypto');

function generateUserHash(secretKey, userId) {
  return crypto
    .createHmac('sha256', secretKey)
    .update(userId)
    .digest('hex');
}

// Usage
const hash = generateUserHash('your_secret_key', 'user_123');

Browser (Web Crypto API)

:::danger Security warning The secretKey must never be exposed in the frontend. Use this code only in trusted server-side environments or for local testing purposes. :::

async function generateUserHash(secretKey, userId) {
  const enc = new TextEncoder();
  const key = await crypto.subtle.importKey(
    'raw',
    enc.encode(secretKey),
    { name: 'HMAC', hash: 'SHA-256' },
    false,
    ['sign']
  );

  const signature = await crypto.subtle.sign('HMAC', key, enc.encode(userId));

  return Array.from(new Uint8Array(signature))
    .map(b => b.toString(16).padStart(2, '0'))
    .join('');
}

Specification​

Node.js​

Browser (Web Crypto API)​

Specification

Node.js

Browser (Web Crypto API)