If you are authenticating users via email from outside BeDesk, it's highly recommended to generate and email hash on the server using a secure key, to prevent bad actors from spoofing the identity of another user, by providing an email different than their own. This could allow an attacker to pose as a real user to your teammates, giving access to previous conversations and potentially sensitive data.
To secure the widget you'll need to generate an HMAC on your server for each logged-in user using their email address and a secret widget key and send it to BeDesk. Refer to the language or framework you are using on how to generate an HMAC, this is an example for PHP:
$widgetSecretKey = 'xxxxNE5wdzVEQm9CeUVMTJxxx'; // IMPORTANT: replace with your own secret
$email = 'johndoe@gmail.com';
$emailHash = hash_hmac('sha256', $email, $widgetSecret);You can get the secret widget key from admin -> settings -> livechat -> security panel.
After generating an email hash, you can send it along with other user information on every page where Livechat widget is loaded.
window.BeChatSettings = {
user: {
name: 'John Appleseed',
email: 'john.appleseed@email.com',
email_hash: 'INSERT_HMAC_VALUE_HERE' // IMPORTANT: replace with email hash generated from above example
subscriptionPlan: 'Premium',
company: 'Pixel Perfect Designs'
}
}
<script src="https://your-site.com/livechat-loader.js"></script>After you have configured your site to send email hash, you should enable identity verification from admin -> settings -> livechat -> security page. This will cause any attempts to authenticate a user to fail, if email hash does not match.