Skip to main content

Backend Token Authentication

Backend token authentication lets you secure the Notification Center widget using your own auth system. Your backend generates an HMAC token with the Node.js SDK, and the frontend passes it to the widget to prove the user’s identity.
This is the recommended approach for production applications. It ensures that only your backend can authorize widget connections.

How it works

1

User logs in

Your app authenticates the user through your existing auth system.
2

Backend generates token

Your backend calls client.generateHashedToken(userId) using the Node.js SDK.
3

Token sent to frontend

Your backend returns the token to the frontend (e.g. in the login response or via a dedicated endpoint).
4

Widget authenticates

The frontend passes the token, userId, and userEmail to the widget. Notifizz verifies the token matches the claimed identity.

Backend setup

Install the Node.js SDK and generate a token for each authenticated user: 
const { NotifizzClient } = require("@notifizz/nodejs");

const client = new NotifizzClient("YOUR_AUTH_SECRET_KEY", "YOUR_SDK_SECRET_KEY");

// In your login endpoint or user session handler:
const token = client.generateHashedToken("user_42");
// Return this token to your frontend
generateHashedToken() produces a SHA-256 HMAC hash derived from the user ID and your Auth Secret Key. It is deterministic — the same user ID always produces the same token.

Frontend setup

Pass the token and user identity to the widget: 
<NotifizzInbox
  options={{
    apiKey: "YOUR_FRONT_API_KEY",
    authType: "backendToken",
    token: tokenFromBackend,
    userId: "user_42",
    userEmail: "alice@example.com",
  }}
/>

Required fields

FieldTypeDescription
authType"backendToken"Must be set to "backendToken".
tokenstringThe HMAC token from generateHashedToken().
userIdstringThe user’s unique identifier (must match the ID used to generate the token).
userEmailstringThe user’s email address.

Security considerations

Never expose your Auth Secret Key on the frontend. Token generation must always happen server-side.
The token is tied to a specific user ID. If someone intercepts a token, they can only access notifications for that user — they cannot impersonate another user without a valid token for that ID.

Next steps

Node.js SDK

Full reference for generateHashedToken() and other methods.

Firebase authentication

Alternative: authenticate with Firebase ID tokens.