Identity Verification
Security feature to authenticate your external user ids and emails sent to OneSignal.
Coming Soon To User Model
Identity Verification is not yet supported on the User Model APIs (Mobile SDK 5+, Web SDK 16+).
The updates to make this available are coming soon.
OneSignal supports a higher security method known as Identity Verification. This helps prevent users from impersonating one another by generating a user-specific token on your server and passing it into your OneSignal API calls.
Enabling Identity Verification applies to:
- Adding email and SMS subscriptions.
- Setting aliases.
Enable Identity Verification through the Dashboard > Settings > Keys & IDs. Once enabled or disabled, this will take up to 10 minutes to process.
We highly recommend enabling identity verification. If your application is "backendless" and does not run on its own servers, we suggest creating a minimal server that just verifies users.
Auth Hash Generation
Auth hashes are expected to be a HMAC on a SHA-256 of the OneSignal REST API Key and the <protected_field_value>
.
Example Auth Hash Generation Code
When identity verification is enabled, OneSignal will look for a SHA-256 hash of a user's alias or email address from your server. See the following code examples for how to generate these hashes on your server:
OpenSSL::HMAC.hexdigest('sha256', ONESIGNAL_API_KEY, identifier)
OpenSSL::HMAC.hexdigest('sha256', ONESIGNAL_API_KEY, email_address)
<?php
echo hash_hmac('sha256', $email_address, $ONESIGNAL_REST_API_KEY);
echo hash_hmac('sha256', $identifier, $ONESIGNAL_REST_API_KEY);
?>
const crypto = require('crypto');
const hmac = crypto.createHmac('sha256', ONESIGNAL_REST_API_KEY);
hmac.update(email_address);
// or hmac.update(identifier);
console.log(hmac.digest('hex'));
SDK Adding Alias with Auth Hash
Your backend can generate an "alias authentication token" and send it to your app to include in the login
, addAlias
, and addAliases
methods.
let externalId = "123456789"; // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..."; // Identifier auth hash generated from your server
OneSignal.push(function() {
OneSignal.login(externalId, externalIdAuthHash);
});
String externalId = "123456789"; // You will supply the external_id to the OneSignal SDK
String externalIdAuthHash = "..."; // Identifier auth hash generated from your server
OneSignal.login(externalId, externalIdAuthHash);
let externalId = "123456789" // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..." // Identifier auth hash generated from your server
OneSignal.login(externalId, externalIdAuthHash)
let externalId = "123456789" // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..." // Identifier auth hash generated from your server
OneSignal.login(externalId, externalIdAuthHash)
NSString* externalId = @"123456789"; // You will supply the external_id to the OneSignal SDK
NSString* externalIdAuthHash = @"..."; // Identifier auth hash generated from your server
[OneSignal login:externalId,externalIdAuthHash];
string externalId = "123456789"; // You will supply the external_id to the OneSignal SDK
string externalIdAuthHash = "..."; // Identifier auth hash generated from your server
let externalId = '123456789'; // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..."; // Identifier auth hash generated from your server
let externalId = '123456789'; // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..."; // Identifier auth hash generated from your server
let externalId = "123456789" // You will supply the external_id to the OneSignal SDK
let externalIdAuthHash = "..."; // Identifier auth hash generated from your server
string externalId = "123456789"; // You will supply the external_id to the OneSignal SDK
string externalIdAuthHash = "..."; // Identifier auth hash generated from your server
SDK Adding Email with Auth Hash
Your backend can generate an "email authentication token" and send it to your app to include in the addEmail
method.
var emailAddress = "[email protected]";
var emailAuthHash = "..."; // Email auth hash generated from your server
OneSignal.push(function() {
OneSignal.User.addEmail(emailAddress, emailAuthHash);
});
String emailAddress = "[email protected]";
String emailAuthHash = "..."; // Email auth hash generated from your server
OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
let emailAddress = "[email protected]"
let emailAuthHash = "..." // Email auth hash generated from your server
OneSignal.getUser().addEmail(emailAddress, emailAuthHash)
let emailAddress = "[email protected]"
let emailAuthHash = "..." // Email auth hash generated from your server
OneSignal.getUser().addEmail(emailAddress, emailAuthHash)
NSString *emailAddress = @"[email protected]";
NSString *emailAuthHash = @"..."; // Email auth hash generated from your server
[OneSignal addEmail:emailAddress,emailAuthHash];
string emailAddress = "[email protected]";
string emailAuthHash = "..."; // Email auth hash generated from your server
OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
var emailAddress = "[email protected]";
var emailAuthHash = "..."; // Email auth hash generated from your server
OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
let emailAddress = "[email protected]";
let emailAuthHash = "..."; // Email auth hash generated from your server
OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
let emailAddress = "[email protected]";
let emailAuthHash = "..."; // Email auth hash generated from your server
OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
string emailAddress = "[email protected]";
string emailAuthHash = "..."; // Email auth hash generated from your server
OneSignal.getUser().addEmail(emailAddress, emailAuthHash);
SDK Adding SMS with Auth Hash
Your backend can generate an "SMS authentication token" and send it to your app to include in the addSms
method.
var smsNumber = "+15558675309";
var smsAuthHash = "..."; // SMS number auth hash generated from your server
OneSignal.push(function() {
OneSignal.User.addSms(smsNumber, smsAuthHash);
});
String smsNumber = "+15558675309";
String smsAuthHash = "..."; // SMS number auth hash generated from your server
OneSignal.getUser().addSms(smsNumber, smsAuthHash);
let smsNumber = "+15558675309"
let smsAuthHash = "..." // SMS number auth hash generated from your server
OneSignal.getUser().addSms(smsNumber, smsAuthHash)
let smsNumber = "+15558675309"
let smsAuthHash = "..." // SMS number auth hash generated from your server
OneSignal.getUser().addSms(smsNumber, smsAuthHash)
NSString *smsNumber = @"+15558675309";
NSString *smsAuthHash = @"..."; // SMS number auth hash generated from your server
[OneSignal addSms:smsNumber,smsAuthHash];
string smsNumber = "+15558675309";
string smsAuthHash = "..."; // SMS number auth hash generated from your server
OneSignal.getUser().addSms(smsNumber, smsAuthHash);
var smsNumber = "+15558675309";
var smsAuthHash = "..."; // SMS number auth hash generated from your server
OneSignal.getUser().addSms(smsNumber, smsAuthHash);
let smsNumber = "+15558675309";
let smsAuthHash = "..."; // SMS number auth hash generated from your server
OneSignal.getUser().addSms(smsNumber, smsAuthHash);
let smsNumber = "+15558675309";
let smsAuthHash = "..."; // SMS number auth hash generated from your server
OneSignal.getUser().addSms(smsNumber, smsAuthHash);
string smsNumber = "+15558675309";
string smsAuthHash = "..."; // SMS number auth hash generated from your server
OneSignal.getUser().addSms(smsNumber, smsAuthHash);
Updating Users with REST API
If you enabled Identity Verification and call the Create user, Update user, Create subscription or Update subscription endpoints, the request must contain the auth hash parameters.
Updated 3 months ago