Security

You can enable enhanced security for the editor by enforcing identity verification. Identity verification prevents third parties from impersonating your logged-in users and using the Unlayer editor. We strongly recommend that you enforce identity verification.

Setup Identity Verification

To set up identity verification, you'll need to generate an HMAC on your server for each logged-in user and send it to Unlayer.

In order to enable this, you must send us a user object which contains a unique ID for the user, and a generated HMAC signature.

unlayer.init({
  user: {
    id: 1,
    signature: 'XXX',
    name: 'John Doe', // optional
    email: '[email protected]' // optional
  }
})

Generate Signature

You can generate the HMAC signature on your server using the following code:

🚧

Project Secret

Keep your secret key safe! Never commit it directly to your repository, client-side code, or anywhere a third party can find it.

const crypto = require('crypto');

const signature = crypto
    .createHmac("sha256", "[PROJECT-SECRET]") // secret key (keep safe!)
    .update("[USER-ID]")
    .digest("hex");

require 'openssl'

OpenSSL::HMAC.hexdigest(
  'sha256', # hash function
  '[PROJECT-SECRET]', # secret key (keep safe!)
  '[USER-ID]' # user's id
)

hash_hmac(
  'sha256', // hash function
  $user->id, // user's id
  '[PROJECT-SECRET]' // secret key (keep safe!)
);

import hmac
import hashlib

hmac.new(
  b'[PROJECT-SECRET]', # secret key (keep safe!)
  bytes(request.user.id, encoding='utf-8'), # user's id
  digestmod=hashlib.sha256 # hash function
).hexdigest()

You can get your project secret from project settings in the Unlayer dashboard.