Identity verification helps to make sure that your customers data are kept private and that one customer can't impersonate another. We require all PuBilling customers set up identity verification.
To set up identity verification, you'll need to generate an HMAC on your server for each logged-in user and send it to PuBilling.
Your code to generate an HMAC for your app is:
OpenSSL::HMAC.hexdigest('sha256', # hash function'YOUR_SECRET_KEY', # secret key (keep safe!)customer_id.to_s + account_id # customer id + your account id)
import hmacimport hashlibhmac.new('YOUR_SECRET_KEY', # secret key (keep safe!)request.customer.id + pubilling_account_id , # customer's id + your account iddigestmod=hashlib.sha256 # hash function).hexdigest()
Keep your secret key safe! Never commit it directly to your repository, client-side code, or anywhere a third party can find it.
Everywhere that you load user data and have a window.pubillingSettings
code snippet, add a new attribute called account_hash
and assign the HMAC code for the logged-in customer to it:
<script>window.pubillingSettings = {app_id: "Bh1w7V3wJvJPXrFRxJQ2vN", // Your App IDaccount_id: "123", // Customer IDaccount_hash: "{ACCOUNT_HASH}", // HMAC using SHA-256};(function () {var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'http://app.pubilling.io/sdk.js';var x = document.getElementsByTagName('script')[0];x.parentNode.insertBefore(s, x);})();</script>
Log into your web app or site as a user, and then refresh any page with the PuBilling embeddable installed.
The purpose of identity verification is to verify that your users are who they claim to be. It works by using a server side generated HMAC (hash based message authentication code), using SHA256, on customer id. PuBilling will not accept any requests for a logged-in customer without a valid HMAC.
In the interest of protecting your users’ data, we enables identity verification for everyone. This helps prevent third parties from performing malicious actions.