Skip to main content

Security

Protect your Pexelize integration with HMAC-based identity verification. Generate signatures on your server using your Security Key to verify that each end user is who they claim to be.

Security Key

Your Security Key is available in the Security tab of your Pexelize dashboard. It is used to generate HMAC signatures on your server to verify end-user identity.

Keep your Security Key secret

Never expose the Security Key in client-side code. It must only be used on your server.

Regenerating your key

Clicking Regenerate in the dashboard creates a new Security Key and invalidates all existing identity signatures. Any active sessions relying on the old key will fail verification. Plan a coordinated rollover if you regenerate in production.

How it works

  1. When a user loads the editor, your server generates an HMAC-SHA256 signature using the Security Key and the user's unique identifier.
  2. The signature is passed to the Pexelize editor alongside the user ID.
  3. Pexelize verifies the signature server-side before granting access, ensuring the request is authentic and has not been tampered with.

Generating the HMAC signature

Compute an HMAC-SHA256 hash of the user's identifier using your Security Key.

import crypto from 'crypto';

const SECURITY_KEY = process.env.PEXELIZE_SECURITY_KEY!;

function generateIdentitySignature(userId: string): string {
  return crypto
    .createHmac('sha256', SECURITY_KEY)
    .update(userId)
    .digest('hex');
}

// Express example
app.get('/api/pexelize-token', (req, res) => {
  const userId = req.user.id; // from your auth middleware
  const signature = generateIdentitySignature(userId);
  res.json({ userId, signature });
});

Passing the signature to the editor

Fetch the signature from your server and provide it via the identity option.

import { useEffect, useState, useRef } from 'react';
import { PexelizeEditor, PexelizeEditorRef } from '@pexelize/react-editor';

function SecureEditor() {
  const editorRef = useRef<PexelizeEditorRef>(null);
  const [identity, setIdentity] = useState<{
    userId: string;
    signature: string;
  } | null>(null);

  useEffect(() => {
    fetch('/api/pexelize-token')
      .then((res) => res.json())
      .then(setIdentity);
  }, []);

  if (!identity) return <div>Loading...</div>;

  return (
    <PexelizeEditor
      ref={editorRef}
      editorKey="pk_your_key"
      editorMode="email"
      identity={{
        userId: identity.userId,
        signature: identity.signature,
      }}
    />
  );
}

Key rotation

When you click Regenerate in the dashboard:

  1. A new Security Key is issued immediately.
  2. All existing signatures become invalid.
  3. Users with active sessions will need to re-authenticate.

To minimize disruption during rotation:

  1. Deploy your server update with the new key.
  2. Click Regenerate in the dashboard.
  3. Active users will automatically re-verify on their next interaction.
Zero-downtime rotation

If your application cannot tolerate any verification failures, support both old and new keys briefly by accepting signatures from either key during the transition window, then remove the old key.

Troubleshooting

SymptomCauseFix
IDENTITY_VERIFICATION_FAILEDSignature mismatchEnsure the user ID passed to the editor matches exactly what was signed on the server
IDENTITY_SIGNATURE_EXPIREDKey was regeneratedUpdate your server with the new Security Key from the dashboard
IDENTITY_MISSINGNo identity providedPass the identity option with both userId and signature

Next steps

  • Collaboration -- add role-based permissions alongside identity verification
  • Image Upload -- secure upload endpoints with the same user identity
  • Iframe & CSP -- configure Content Security Policy headers