Docs
Install
API
Log in
Setup
Install CannyAdd Company DataAdd Custom FieldsSecurityAdvanced
Feedback Widget
OverviewWebMobileSingle Sign-OnAdvanced
Changelog Widget
SetupCustomizationsPrivacy

Secure Identify Requests

To enhance the security of the Canny SDK, provide a user-specific hash in your request that allows Canny to verify that the authentication request came from your application.

In your admin security settings, the Identify security toggle controls whether the Canny SDK requires this per-user hash whenever you call Identify. When it is enabled, only requests that include a valid hash generated by your backend will be accepted.

If you already use Identify today, you can keep the Identify security setting disabled while you roll out the hash generation on your backend. Once your Identify calls include the hash, turn on Identify security to prevent impersonation and tampering.

  1. 1. Generate user hash on your server

    Note

    You can find your secret API key in your company settings. This key is secret! Store it on your server and don't share it.

    Node.js
    C#
    Go
    Java
    PHP
    Python
    Ruby
    import crypto from 'crypto';

const APIKey = 'YOUR_API_KEY';

export default function generateCannyHash(user) {
  const hash = crypto.createHmac('sha256', APIKey)
    .update(user.id)
    .digest('hex');
  return hash;
}

  2. 2. Send user hash to Canny when identifying users

    Canny('identify', {
  appID: 'YOUR_APP_ID',
  user: {
    created: new Date(viewer.created).toISOString(), // optional
    email: viewer.email,
    id: viewer.id,
    name: viewer.name,
  },
  hash: viewer.userGeneratedHash,
});

  3. 3. Enable setting in your company security settings

    Once enabled, any requests without valid hashes will be rejected, ensuring that only verified users can authenticate. This blocks malicious actors from impersonating your users.

  4. 4. Verify that your identify request works as expected

    Trigger the identify request by visiting your app and use your browser's dev tools to ensure that the Canny SDK isn't showing any errors in the console. If you see a "Canny: Skipping identify request" message, try clearing your site data or using a private/incognito window. If you run into an error that you can't figure out, contact us

To control how Identify handles users that do not exist yet (create vs update-only), see our Advanced Identify docs. Those docs explain Identify modes and how they work with your company's default Identify mode setting.