Identity verification

Last updated 6 months ago

Learn more about identity verification and how to setup.

Identity verification helps to make sure that your customers data are kept private and that one customer can't impersonate another. We require all PuBilling customers set up identity verification.

1 - Generate HMAC

To set up identity verification, you'll need to generate an HMAC on your server for each logged-in user and send it to PuBilling.

Your code to generate an HMAC for your app is:

Ruby
Python
OpenSSL::HMAC.hexdigest(
'sha256', # hash function
'YOUR_SECRET_KEY', # secret key (keep safe!)
customer_id.to_s + account_id # customer id + your account id
)
import hmac
import hashlib
hmac.new(
'YOUR_SECRET_KEY', # secret key (keep safe!)
request.customer.id + pubilling_account_id , # customer's id + your account id
digestmod=hashlib.sha256 # hash function
).hexdigest()

Keep your secret key safe! Never commit it directly to your repository, client-side code, or anywhere a third party can find it.

2 - Send generated HMAC to the script

Everywhere that you load user data and have a window.pubillingSettings code snippet, add a new attribute called account_hash and assign the HMAC code for the logged-in customer to it:

<script>
window.pubillingSettings = {
app_id: "Bh1w7V3wJvJPXrFRxJQ2vN", // Your App ID
account_id: "123", // Customer ID
account_hash: "{ACCOUNT_HASH}", // HMAC using SHA-256
};
(function () {var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'http://app.pubilling.io/sdk.js';var x = document.getElementsByTagName('script')[0];x.parentNode.insertBefore(s, x);})();
</script>

3 - Verify installation

Log into your web app or site as a user, and then refresh any page with the PuBilling embeddable installed.

How does identity verification work?

The purpose of identity verification is to verify that your users are who they claim to be. It works by using a server side generated HMAC (hash based message authentication code), using SHA256, on customer id. PuBilling will not accept any requests for a logged-in customer without a valid HMAC.

Do I need identity verification?

In the interest of protecting your users’ data, we enables identity verification for everyone. This helps prevent third parties from performing malicious actions.