Identity Verification

Security feature to authenticate your external user ids and emails sent to OneSignal.

🚧

Coming Soon To User Model

Identity Verification is not yet supported on the User Model APIs (Mobile SDK 5+, Web SDK 16+).

The updates to make this available are coming soon.

OneSignal supports a higher security method known as Identity Verification. This helps prevent users from impersonating one another by generating a user-specific token on your server and passing it into your OneSignal API calls.

Enabling Identity Verification applies to:

  • Adding email and SMS subscriptions.
  • Setting aliases.

Enable Identity Verification through the Dashboard > Settings > Keys & IDs. Once enabled or disabled, this will take up to 10 minutes to process.

We highly recommend enabling identity verification. If your application is "backendless" and does not run on its own servers, we suggest creating a minimal server that just verifies users.

Auth Hash Generation

Auth hashes are expected to be a HMAC on a SHA-256 of the OneSignal REST API Key and the <protected_field_value>.

Example Auth Hash Generation Code

When identity verification is enabled, OneSignal will look for a SHA-256 hash of a user's alias or email address from your server. See the following code examples for how to generate these hashes on your server:

OpenSSL::HMAC.hexdigest('sha256', ONESIGNAL_API_KEY, identifier)
OpenSSL::HMAC.hexdigest('sha256', ONESIGNAL_API_KEY, email_address)

<?php
echo hash_hmac('sha256', $email_address, $ONESIGNAL_REST_API_KEY);
echo hash_hmac('sha256', $identifier, $ONESIGNAL_REST_API_KEY);
?>

const crypto = require('crypto');
const hmac = crypto.createHmac('sha256', ONESIGNAL_REST_API_KEY);
hmac.update(email_address);
// or hmac.update(identifier);
console.log(hmac.digest('hex'));

SDK Adding Alias with Auth Hash

Your backend can generate an "alias authentication token" and send it to your app to include in the login, addAlias, and addAliases methods.

let externalId = "123456789"; // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..."; // Identifier auth hash generated from your server

OneSignal.push(function() {
  OneSignal.login(externalId, externalIdAuthHash);
});

String externalId = "123456789"; // You will supply the external_id to the OneSignal SDK
String externalIdAuthHash = "..."; // Identifier auth hash generated from your server

OneSignal.login(externalId, externalIdAuthHash);

let externalId = "123456789" // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..." // Identifier auth hash generated from your server

OneSignal.login(externalId, externalIdAuthHash)

let externalId = "123456789" // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..." // Identifier auth hash generated from your server

OneSignal.login(externalId, externalIdAuthHash)

NSString* externalId = @"123456789"; // You will supply the external_id to the OneSignal SDK
NSString* externalIdAuthHash = @"..."; // Identifier auth hash generated from your server

[OneSignal login:externalId,externalIdAuthHash];

string externalId = "123456789"; // You will supply the external_id to the OneSignal SDK
string externalIdAuthHash = "..."; // Identifier auth hash generated from your server

let externalId = '123456789'; // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..."; // Identifier auth hash generated from your server
let externalId = '123456789'; // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..."; // Identifier auth hash generated from your server
let externalId = "123456789" // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..."; // Identifier auth hash generated from your server
string externalId = "123456789"; // You will supply the external_id to the OneSignal SDK
string externalIdAuthHash = "..."; // Identifier auth hash generated from your server

SDK Adding Email with Auth Hash

Your backend can generate an "email authentication token" and send it to your app to include in the addEmail method.

var emailAddress = "[email protected]";
var emailAuthHash = "..."; // Email auth hash generated from your server

OneSignal.push(function() {
  OneSignal.User.addEmail(emailAddress, emailAuthHash);
});

String emailAddress = "[email protected]";
String emailAuthHash = "..."; // Email auth hash generated from your server

OneSignal.getUser().addEmail(emailAddress, emailAuthHash);

let emailAddress = "[email protected]"
let emailAuthHash = "..." // Email auth hash generated from your server

OneSignal.getUser().addEmail(emailAddress, emailAuthHash)

let emailAddress = "[email protected]"
let emailAuthHash = "..." // Email auth hash generated from your server

OneSignal.getUser().addEmail(emailAddress, emailAuthHash)

NSString *emailAddress = @"[email protected]";
NSString *emailAuthHash = @"..."; // Email auth hash generated from your server

[OneSignal addEmail:emailAddress,emailAuthHash];
string emailAddress = "[email protected]";
string emailAuthHash = "..."; // Email auth hash generated from your server

OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
var emailAddress = "[email protected]";
var emailAuthHash = "..."; // Email auth hash generated from your server

OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
let emailAddress = "[email protected]";
let emailAuthHash = "..."; // Email auth hash generated from your server

OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
let emailAddress = "[email protected]";
let emailAuthHash = "..."; // Email auth hash generated from your server

OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
string emailAddress = "[email protected]";
string emailAuthHash = "..."; // Email auth hash generated from your server

OneSignal.getUser().addEmail(emailAddress, emailAuthHash);

SDK Adding SMS with Auth Hash

Your backend can generate an "SMS authentication token" and send it to your app to include in the addSms method.

var smsNumber = "+15558675309";
var smsAuthHash = "..."; // SMS number auth hash generated from your server

OneSignal.push(function() {
  OneSignal.User.addSms(smsNumber, smsAuthHash);
});

String smsNumber = "+15558675309";
String smsAuthHash = "..."; // SMS number auth hash generated from your server

OneSignal.getUser().addSms(smsNumber, smsAuthHash);

let smsNumber = "+15558675309"
let smsAuthHash = "..." // SMS number auth hash generated from your server

OneSignal.getUser().addSms(smsNumber, smsAuthHash)

let smsNumber = "+15558675309"
let smsAuthHash = "..." // SMS number auth hash generated from your server

OneSignal.getUser().addSms(smsNumber, smsAuthHash)

NSString *smsNumber = @"+15558675309";
NSString *smsAuthHash = @"..."; // SMS number auth hash generated from your server

[OneSignal addSms:smsNumber,smsAuthHash];
string smsNumber = "+15558675309";
string smsAuthHash = "..."; // SMS number auth hash generated from your server

OneSignal.getUser().addSms(smsNumber, smsAuthHash);
var smsNumber = "+15558675309";
var smsAuthHash = "..."; // SMS number auth hash generated from your server

OneSignal.getUser().addSms(smsNumber, smsAuthHash);
let smsNumber = "+15558675309";
let smsAuthHash = "..."; // SMS number auth hash generated from your server

OneSignal.getUser().addSms(smsNumber, smsAuthHash);
let smsNumber = "+15558675309";
let smsAuthHash = "..."; // SMS number auth hash generated from your server

OneSignal.getUser().addSms(smsNumber, smsAuthHash);
string smsNumber = "+15558675309";
string smsAuthHash = "..."; // SMS number auth hash generated from your server

OneSignal.getUser().addSms(smsNumber, smsAuthHash);

Updating Users with REST API

If you enabled Identity Verification and call the Create user, Update user, Create subscription or Update subscription endpoints, the request must contain the auth hash parameters.