When to use it
Use signed identity when:- Visitors are logged in to your product
- You want replies tied to your own user IDs
- You need names or emails to come from your backend
Get the site secret
Create the site’s first identity signing secret from the dashboard. TinyInbox shows the new secret once, so copy it into your backend environment before leaving the page. You can also create or rotate it from the API:identitySecret once. Existing secrets are not
returned again.
Sign the token
The identity token must:- Use the
HS256algorithm - Use
typ: "JWT"if your JWT library sets a type header. Tokens withouttypare accepted, but any othertypvalue is rejected. - Set
audtotinyinbox-widget-identity - Include
userIdorsub - Optionally include
name,email, andsiteKey - Expire quickly
Pass the token to the widget
Expose a browser-accessible endpoint that returns{ identityToken }, then pass
that token to the widget from client-only code. Keep using the widget script
from your TinyInbox dashboard; do not rebuild the widget URL or site key in
application code.
When you use signed identity for a logged-in visitor, do not also call
TinyInbox.identify({ name, email }) for that same visitor. The signed token
should carry the trusted name and email; sending both can create an
anonymous session first and then switch to the signed visitor session.
For logged-in app pages, fetch the token once auth state is known and pass it to
TinyInbox. If you can run this before the copied widget script loads, the
command queues and the first widget session is already signed.
data-tinyinbox-identity attribute.