Skip to main content
Identity verification lets you prove who a user is before the agent accesses sensitive data or performs privileged actions. Agentic Trust supports two verification methods: HMAC and JWT.

HMAC verification

HMAC verification uses a shared secret to sign the user’s ID on your backend. The widget sends the signature to Agentic Trust, which verifies it before granting access.
1

Generate an HMAC secret

Go to Identity in the dashboard sidebar and click Generate Secret. Copy the secret — it’s only shown once.
2

Sign the user ID on your backend

Compute an HMAC-SHA256 signature of the user’s external ID using the secret:
import crypto from "crypto";

const hmac = crypto
  .createHmac("sha256", "your_hmac_secret")
  .update("user-42")
  .digest("hex");
3

Pass the signature to the widget

Include the user object when initializing the widget:
<script>
  AgenticTrust.initAsync({
    projectId: "proj_your_project_id",
    apiUrl: "https://platform.agentictrust.com/api/v1",
    apiKey: "lum_pk_your_api_key",
    user: {
      id: "user-42",
      email: "user@example.com",
      name: "Jane Doe",
      hmac: "computed_hex_signature"
    }
  });
</script>

JWT verification

JWT verification uses a signed token instead of a raw HMAC. This is useful when you already issue JWTs in your application.
1

Generate an HMAC secret

Same as above — the secret is used to sign and verify JWTs (HS256 algorithm).
2

Issue a JWT on your backend

Create a JWT with the user’s ID as the sub claim. Optionally include email and name:
import jwt from "jsonwebtoken";

const token = jwt.sign(
  { sub: "user-42", email: "user@example.com", name: "Jane Doe" },
  "your_hmac_secret",
  { algorithm: "HS256", expiresIn: "1h" }
);
3

Pass the token to the widget

Use the identify method or set up automatic token refresh:
<script>
  // One-time identification
  AgenticTrust.identify("your_jwt_token");

  // Or auto-refresh
  AgenticTrust.setIdentityTokenFetcher(async () => {
    const res = await fetch("/api/identity-token");
    if (!res.ok) return null;
    const data = await res.json();
    return data.token;
  });
</script>

Choosing between HMAC and JWT

HMACJWT
Best forSimple integrationsApps that already use JWTs
User dataPassed separately (email, name)Embedded in token claims
ExpirationNo built-in expiryToken has exp claim
RefreshNot neededUse setIdentityTokenFetcher
Never expose your HMAC secret in client-side code. Always compute signatures and sign tokens on your backend.