User Verification in Messaging for Web

To learn about and set up User Verification, see User Verification in Salesforce Help.

Configure your web client so you can personalize and secure the conversation between a verified user and an agent. See the Messaging for Web Event Listeners reference for details.

  1. Add event listeners for onEmbeddedMessagingReady and onEmbeddedMessagingIdentityTokenExpired to your website’s code or to the Code Snippet. See Get Started With APIs for Messaging for Web.

    When you receive an onEmbeddedMessagingReady event, the API is ready for requests.

  2. After you receive an onEmbeddedMessagingReady event, pass your identity token to the API by using the setIdentityToken method.

    Create the identity token and set its expiration time with the authorization mechanism of your choice.

    Call this method for every tab or window where you want the user to have an authenticated conversation. Because the identity token is stored in the browser’s memory, you must call this method after a page refresh. JWTs must be signed using the RS256 algorithm.

    The conversation button is rendered after the API receives a valid identity token. The API generates a Salesforce authorization token when the user clicks the button, and the session starts.

    The Salesforce token has a separate expiration time, determining how long the session stays active. You can edit this expiration time in Messaging Settings in Setup in the Authorization Token Expiration Time for Verified Users field. The default is 60 minutes.

  3. If you interact with the web client after both the Salesforce token and the identity token have expired, the client dispatches the onEmbeddedMessagingIdentityTokenExpired event, but you can keep the session active. To keep the session active, send a new identity token to the API within 30 seconds of the onEmbeddedMessagingIdentityTokenExpired event by using the setIdentityToken method as before.

  4. When the user logs out, call the clearSession method. This method clears all messaging and user data from all tabs and windows.

    You don't have to call the clearSession method. When the client doesn’t receive a new identity token within 30 seconds of dispatching the onEmbeddedMessagingIdentityTokenExpired event, the client clears the session.

  5. Listen for the onEmbeddedMessagingReady event again to know when the API is ready for another conversation.

This sample code shows how to implement the key steps that verify a user for a messaging conversation. To determine where to add this code to your web page, see Get Started With APIs for Messaging for Web. For more code snippet settings, see the settings reference documentation.

Call setIdentityToken for every tab or window where you want access to the authorized messaging conversation. Call clearSession when the user logs out.

If your Messaging for Web deployment is on an Experience Cloud site, follow the instructions in Salesforce Help to add JavaScript code to the head markup section of your site. See Configure a Messaging for Web Deployment in an Experience Builder Site in Salesforce Help.