Identity Verification ensures that all user data tracked by the platform comes from authenticated and trusted sources.

When enabled, the system enforces HMAC validation on all identify calls. This prevents tracking of spoofed or unidentified users.

When to use Identity Verification

To guarantee trust in user data across analytics and feature management.
To prevent spoofing, where someone tries to impersonate a user by sending fake events.
To comply with security and privacy policies for verified user tracking.

How it works

An admin generates a secret key in the Identity Verification settings.
Developers use this secret to generate an HMAC hash of the user ID (usually the userId or email) server-side.
The client SDK sends both the userId and the userHash with each identify call.
The platform validates the hash against the secret.
- If valid → the user is tracked.
- If invalid/missing → the user is rejected and not tracked.

Enabling Identity Verification

Go to Settings → Identity Verification.
Click Generate to create a new secret.
Copy the secret and store it securely (e.g., in a key vault).
Share the secret with your development team to implement hashing.
Toggle Enforce Identity Verification to ON.
Save your changes.

❗️
Once enabled, all identify calls must include a valid HMAC hash. Unverified users will no longer be tracked.

Developer Requirements

After enabling HMAC, developers must update identify calls to include userHash.

Example (Node.js):

❗️
This should be server side code - DO NOT share the secrete key on the front-end code

const crypto = require("crypto");

function generateUserHash(secret, userId) {
  return crypto.createHmac("sha256", secret).update(userId).digest("hex");
}

const userId = "user_123";
const userHash = generateUserHash(process.env.EUCERA_SECRET, userId);

// Send both to the SDK
euceraClient.identify({
  userId,
  userHash
});

Identity Verification (HMAC) — Developer Guide

When Identity Verification is enabled by admins, all identify calls must include a userHash parameter. The userHash is an HMAC-SHA256 hash of the userId, signed with the shared secret provided by the admin.

If the hash is missing or invalid, the user will not be tracked.

How it works

The admin generates and shares a secret securely.
You use this secret in your server-side code to generate an HMAC-SHA256 hash of the userId.
Send both userId and userHash to the SDK or REST API.
The platform validates the hash before tracking the user.

Parameters

Field	Description
`userId`	Unique identifier of the user (e.g., UUID, email, database ID).
`userHash`	HMAC-SHA256 hash of `userId`, signed with the secret. Must be computed server-side.

Code Examples

Node.js

const crypto = require("crypto");

function generateUserHash(secret, userId) {
  return crypto.createHmac("sha256", secret).update(userId).digest("hex");
}

const userId = "user_123";
const secret = process.env.EUCERA_SECRET;
const userHash = generateUserHash(secret, userId);

// Pass to the SDK
euceraClient.identify({
  userId,
  userHash
});

import hmac
import hashlib

def generate_user_hash(secret, user_id):
    return hmac.new(
        secret.encode("utf-8"),
        user_id.encode("utf-8"),
        hashlib.sha256
    ).hexdigest()

user_id = "user_123"
secret = os.getenv("EUCERA_SECRET")
user_hash = generate_user_hash(secret, user_id)

client.identify({
    "userId": user_id,
    "userHash": user_hash
})