HMAC Encryption

When Novu’s user adds the Inbox to their application they are required to pass a subscriberId which identifies the user’s end-customer, and the application Identifier which is acted as a public key to communicate with the notification feed API.

A malicious actor can access the user feed by accessing the API and passing another subscriberId using the public application identifier.

HMAC encryption will make sure that a subscriberId is encrypted using the secret API key, and those will prevent malicious actors from impersonating users.

Enabling HMAC Encryption

In order to enable Hash-Based Message Authentication Codes, you need to visit the admin panel In-App settings page and enable HMAC encryption for your environment.

How to enable HMAC encryption for In-App Inbox

  1. Next step would be to generate an HMAC encrypted subscriberId on your backend:
import { createHmac } from 'crypto';

const hmacHash = createHmac('sha256', process.env.NOVU_SECRET_KEY)
  .update(subscriberId)
  .digest('hex');
  1. Then pass the created HMAC to your client side application forward it to the component:
<Inbox
  applicationIdentifier="YOUR_APPLICATION_IDENTIFIER"
  subscriberId="YOUR_SUBSCRIBER_ID"
  subscriberHash="YOUR_SUBSCRIBER_ID_HASH_VALUE"
/>

If HMAC encryption is active in In-App provider settings and subscriberHash along with subscriberId is not provided, then Inbox will not load

Was this page helpful?