Concepts
Identity verification
Bind every Blinq conversation to a real user account in your app without trusting the browser. The widget passes a short-lived JWT, signed by your server with a secret only your backend knows.
Why
Without identity verification, anyone who scrapes your public token can impersonate any user inside the conversation log. Verified identities give you per-user analytics, scoped knowledge, and a clean audit trail.
Enable it
- Open Setup → Install in your Blinq dashboard.
- Toggle Identity verification and rotate the identity secret. Copy it once — it is shown a single time.
- Store the secret in your backend env:
BLINQ_IDENTITY_SECRET. - When a logged-in user loads a page that hosts the widget, sign a JWT with HS256 using that secret and pass it to the widget.
JWT payload
{
"sub": "<your user id>",
"email": "user@example.com",
"name": "Жанна Иванова",
"iat": 1730000000,
"exp": 1730003600
}Required: sub. Recommended: email, name, exp. Keep exp short (≤ 1 hour) and refresh on the server when the user renews their session.
Pass the token to the widget
<BlinqWidget
publicToken={process.env.NEXT_PUBLIC_BLINQ_TOKEN!}
apiBaseUrl="https://app.blinq.kz"
identityToken={signedJwtFromServer}
/>Or via runtime API:
window.blinq.identify(signedJwtFromServer);
// later, when the user logs out:
window.blinq.resetUser();Server-side signing example (Node)
import { SignJWT } from "jose";
export async function blinqIdentityToken(user: { id: string; email?: string; name?: string }) {
const secret = new TextEncoder().encode(process.env.BLINQ_IDENTITY_SECRET!);
return new SignJWT({ email: user.email, name: user.name })
.setProtectedHeader({ alg: "HS256" })
.setSubject(user.id)
.setIssuedAt()
.setExpirationTime("1h")
.sign(secret);
}Verification rules
- The widget never sees the secret — only your server does.
- Tokens are validated on every
session/init. - Expired or unsigned tokens fall back to anonymous mode silently.
- Rotating the secret invalidates all previously issued tokens.