TAU Widget

Authenticated Area (HMAC)

Configure the widget to securely identify authenticated users via HMAC SHA-256.

Authenticated Area

Configure the TAU Widget to identify logged-in users and personalize the experience. The chat maintains context across sessions and provides targeted support.

Authentication uses HMAC SHA-256. All hash generation must happen on the server — never expose your secret key on the frontend.

Generating the HMAC (backend)

Python

import hmac
import hashlib

def create_hmac(user_id: str, secret_key: str) -> str:
    return hmac.new(
        secret_key.encode(),
        user_id.encode(),
        hashlib.sha256
    ).hexdigest()

# Usage
hash_value = create_hmac("user123", "your_secret_key")

Node.js

const crypto = require('crypto');

function createHmac(userId, secretKey) {
  return crypto
    .createHmac('sha256', secretKey)
    .update(userId)
    .digest('hex');
}

// Usage
const hash = createHmac('user123', 'your_secret_key');

PHP

$hash = hash_hmac('sha256', $userId, $secretKey);

Widget configuration (frontend)

window.taubotConfig = {
  appId: 'YOUR_APP_ID',
  user: {
    id: 'user123',                          // Unique user ID
    hash: 'SERVER_GENERATED_HMAC',          // HMAC of user.id
    name: 'John Smith',                     // Name (optional)
    email: 'john@example.com',              // Email (optional)
    phone: '+15551234567',                  // Phone (optional)
    profile_picture_url: 'https://...',     // Photo (optional)
    created_at: 1701967378                  // Unix timestamp (optional)
  }
};

Fields in the user object

FieldTypeRequiredDescription
idstringUnique user ID in your system
hashstringHMAC SHA-256 of user.id, generated on the server
namestringFull name for personalization
emailstringEmail for contact and identification
phonestringPhone in international format
profile_picture_urlstringProfile picture URL
created_atnumberUser creation Unix timestamp

Benefits for authenticated users

  • Personalized context — the assistant sees the user's information
  • Maintained history — previous conversations are preserved
  • Automatic identification — no need to identify themselves each conversation
  • Continuous experience — picks up where they left off
  • Targeted support — assistance based on the user profile

Security best practices

  • 🔐 Keep the secret key exclusively on the server
  • 🔄 Regenerate the HMAC on every page load
  • ⏰ Consider implementing hash expiration
  • 🛡️ Always validate information on the backend
  • 📝 Monitor invalid access attempts

How to verify it's working

  1. Configure the widget with valid user information
  2. Open the browser console (F12)
  3. Look for widget authentication logs
  4. Start a conversation and check whether the name appears in the chat
  5. Confirm in the TAU dashboard that the user was identified

Configuration Parameters

Complete reference for all parameters of the window.taubotConfig object.

JavaScript API

Control the TAU Widget programmatically via window.myChatbot.

On this page

Authenticated AreaGenerating the HMAC (backend)PythonNode.jsPHPWidget configuration (frontend)Fields in the user objectBenefits for authenticated usersSecurity best practicesHow to verify it's working