Identify widget users
Identifying users lets logged-in customers submit and vote inside the widget without a separate portal login.
Identity rules
Identity should come from your app's trusted server session. Do not sign identity tokens in browser code and do not expose signing secrets in public environment variables.
Use stable identifiers. If the same customer gets a new id every session, votes and submissions cannot be connected reliably.
Step-by-step
- 1
Choose the stable user id. Use your product's internal user id or another durable external id.
- 2
Sign the token server-side. Keep signing secrets out of client code.
- 3
Pass the JWT to the script. Use data-user-jwt only after the token is generated safely.
- 4
Fallback gracefully. If identity is missing, the widget can still ask the visitor to identify before taking action.
- 5
Rotate secrets carefully. Deploy server and widget configuration changes together.
Details to remember
- Names and emails should be customer-safe because they can appear near public activity.
- Identity is for convenience and attribution, not for granting dashboard access.
- A bad identity setup creates duplicate customer records.