Skip to main content

Users, Audience, & Identification

The Audience of your product is all users who interact with it. The GetintheLoop Platform uses a very flexible style of identifying and tracking users to support any number of use cases and login systems.

There are 3 states a user can be in:

  • Anonymous - ie. anonymous
  • Identified - Associated with a unique user id, but not verified
  • Verified - Associated with a unique user id, and verified via a signed token

While identifying users is optional, it is required for features like Bookmarking and Limited Offers that require a persistent record of who the user is across app sessions.

Typically, you would identify each user on sign in or auth refresh, alongside your existing authentication logic, and would log them out of the SDK when they sign out of your app.


In order to verify your product's users, a unique token for each user must be generated and provided with the identify calls. Verification ensures that users cannot impersonate each other, and is required for certain features like Offer Bookmarking.

A typical process for this would look like this:

Verifying Users

Generating Verification Tokens

To generate a Verification Token you'll need 2 things:

  • The Unique User ID that you use to identify this user with the GetintheLoop Platform
  • The Verification Key, found in your Property Settings

The Verification Key is a Base64 encoded string that contains an hmacId and an hmacSecret, separated by a semicolon (hmacId;hmacSecret).


  1. Decode the Verification Key to get the hmacId and hmacSecret
  2. Create a SHA256 HMAC that signs the Unique User ID with the hmacSecret. The format of this HMAC must be a hex digest string.
  3. Create the final Verification Token by joining the original Verification Key hmacId with your SHA256 HMAC Digest from Step 2, in the format hmacId;timestamp;sha256Digest, and encoding as a Base64 string.


const assert = require('assert');
const crypto = require('crypto');

const computeSignature = (secret, userId) => {
// 1. Decode the Verification Key
const secretDecoded = Buffer.from(secret, 'base64').toString('utf8');
const [hmacId, hmacSecret] = secretDecoded.split(';')
.map((e) => Buffer.from(e.replace(/-/g, ''), 'hex'));

// 2. Create the SHA256 HMAC digest
const timestamp = Buffer.from(Math.round(new Date() / 1000).toString(16), 'hex');
const hmacDigest = crypto.createHmac('sha256', hmacSecret)

// 3. Create the final verification token
return Buffer.concat([hmacId, timestamp, hmacDigest]).toString('base64');

const verificationKey = "YOUR_PROPERTY_VERIFICATION_KEY";
const userId = "UNIQUE_USER_ID";

// 3. Encode in final Verification Token format
const verificationToken = computeSignature(verificationKey, userId);

Security Considerations

In order to be secure the HMAC token must be generated on your server, and communicated to your app or website once the user has been authenticated. Typically implementors return the computed HMAC as part of their user profile payload.