Docs
Install
API
Log in
Setup
Install CannyAdd Company DataAdd Custom FieldsSecurityAdvanced
Feedback Widget
OverviewWebMobileSingle Sign-OnAdvanced
Changelog Widget
SetupCustomizationsPrivacy

Secure Identify Requests

To enhance the security of the Canny SDK, provide a user-specific hash in your request that allows Canny to verify that the authentication request came from your application.

  1. 1. Generate user hash on your server

    Note

    You can find your secret API key in your company settings. This key is secret! Store it on your server and don't share it.

    Node.js
    C#
    Go
    Java
    PHP
    Python
    Ruby
    import crypto from 'crypto';

const APIKey = 'YOUR_API_KEY';

export default function generateCannyHash(user) {
  const hash = crypto.createHmac('sha256', APIKey)
    .update(user.id)
    .digest('hex');
  return hash;
}

  2. 2. Send user hash to Canny when identifying users

    Canny('identify', {
  appID: 'YOUR_APP_ID',
  user: {
    created: new Date(viewer.created).toISOString(), // optional
    email: viewer.email,
    id: viewer.id,
    name: viewer.name,
    hash: viewer.userGeneratedHash
  },
});

  3. 3. Enable setting in your company security settings

    Once enabled, any requests without valid hashes will be rejected, ensuring that only verified users can authenticate. This blocks malicious actors from impersonating your users.

  4. 4. Verify that your identify request works as expected

    Trigger the identify request by visiting your app and use your browser's dev tools to ensure that the Canny SDK isn't showing any errors in the console. If you see a "Canny: Skipping identify request" message, try clearing your site data or using a private/incognito window. If you run into an error that you can't figure out, contact us