Signed visitor identity
If your visitors are already logged in on your site, you can prove their
identity so the agent sees a Verified badge and the conversation carries a
stable external_user_id — which also lets the visitor resume the conversation
from another device.
- Generate a signing secret in Settings → Web chat.
- On your backend, sign a short identity token.
- Pass it to the loader via
data-identity.
Token format
Section titled “Token format”The token is base64url(json).hmac, where the HMAC-SHA256 covers the exact
base64url payload string (never the re-encoded JSON):
import crypto from 'node:crypto';
function signIdentity(secret, payload) { const b64 = Buffer.from(JSON.stringify(payload)).toString('base64url'); const sig = crypto.createHmac('sha256', secret).update(b64).digest('hex'); return `${b64}.${sig}`;}
const token = signIdentity(process.env.ROSETTA_IDENTITY_SECRET, { external_user_id: user.id, name: user.name, email: user.email,});// PHPfunction sign_identity(string $secret, array $payload): string{ $b64 = rtrim(strtr(base64_encode(json_encode($payload)), '+/', '-_'), '='); $sig = hash_hmac('sha256', $b64, $secret);
return $b64.'.'.$sig;}Pass it to the loader
Section titled “Pass it to the loader”<script src="https://widget.rosettachat.app/widget.js" data-site="wgt_your_public_site_key" data-identity="<token>" async></script>The payload carries external_user_id (required — the stable identifier),
plus optional name and email shown to the agent.