OneSignal now supports a higher security method known as Identity Verification. This helps prevent users from impersonating one another by generating a user-specific token on your server, if you have one.

We highly recommend enabling identity verification for apps and websites that use OneSignal Email Messaging. For apps and websites that are 'backendless' and do not run their own servers, we suggest either creating a minimal server that just verifies users, or avoid sending sensitive information in user tags and notifications.

Code Example

When identity verification is enabled, OneSignal will look for a SHA-256 hash of a user's email address from your server. See the following code examples for how to generate these hashes on your server:

OpenSSL::HMAC.hexdigest('sha256', ONESIGNAL_API_KEY, email_address)

<?php
echo hash_hmac('sha256', $email_address, $ONESIGNAL_REST_API_KEY);
?>

const crypto = require('crypto');
const hmac = crypto.createHmac('sha256', ONESIGNAL_REST_API_KEY);
hmac.update(email_address);
console.log(hmac.digest('hex'));

If you have questions about implementing this please contact us.