Skip to content

Signed visitor identity

If your visitors are already logged in on your site, you can prove their identity so the agent sees a Verified badge and the conversation carries a stable external_user_id — which also lets the visitor resume the conversation from another device.

  1. Generate a signing secret in Settings → Web chat.
  2. On your backend, sign a short identity token.
  3. Pass it to the loader via data-identity.

The token is base64url(json).hmac, where the HMAC-SHA256 covers the exact base64url payload string (never the re-encoded JSON):

Node.js
import crypto from 'node:crypto';
function signIdentity(secret, payload) {
const b64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
const sig = crypto.createHmac('sha256', secret).update(b64).digest('hex');
return `${b64}.${sig}`;
}
const token = signIdentity(process.env.ROSETTA_IDENTITY_SECRET, {
external_user_id: user.id,
name: user.name,
email: user.email,
});
// PHP
function sign_identity(string $secret, array $payload): string
{
$b64 = rtrim(strtr(base64_encode(json_encode($payload)), '+/', '-_'), '=');
$sig = hash_hmac('sha256', $b64, $secret);
return $b64.'.'.$sig;
}
<script
src="https://widget.rosettachat.app/widget.js"
data-site="wgt_your_public_site_key"
data-identity="<token>"
async
></script>

The payload carries external_user_id (required — the stable identifier), plus optional name and email shown to the agent.