Your identify secret is the key CornerSpot uses to trust a signed-in visitor. When you call Cornerspot.chat.identify() from your host page, you pass a userHash computed on your server as HMAC-SHA256(secret, userId) — and this is the secret that signing uses. This guide shows you how to view it, and how to rotate it safely when you need a fresh one.
View and rotate your chat widget identify secret
The secret lives on the Identify Secret tab of Live Chat Settings at /dashboard/chat/settings/identify. Here's the full flow, start to finish.
1. Open the Identify Secret tab
From Live Chat Settings, open the Identify Secret tab. The “Widget identify secret” card shows your Current secret, always displayed masked (for example •••• •••• 4f9c, or — if you've never set one) so the full value is never exposed on screen. If you've rotated before, a Last rotated timestamp appears below it.
2. Click “Rotate secret”
When you need to replace the secret, click Rotate secret. Rotating mints a brand-new secret and invalidates the old one (after a grace window — see below), so every host page that computes userHash will need the new value.
3. Confirm by typing “ROTATE”
Because rotating is irreversible, a confirmation dialog asks you to type ROTATE exactly before the destructive button enables. This deliberate step prevents an accidental rotation. The dialog also reminds you that visitors mid-conversation silently downgrade to anonymous identity but will not lose their chat.
4. Copy the new secret — it's shown only once
After you confirm, CornerSpot mints the new secret and shows it once in a “New secret minted” card with a Copy button. Copy it now — the plaintext value won't be retrievable later. If you lose it before saving, you'll have to rotate again. Once you've stored it safely, click I've saved it to dismiss the reveal.
The 24-hour grace window
To let you deploy the change without downtime, the previous secret keeps verifying for 24 hours after a rotation. During this grace window the card shows a “Previous secret still valid (24 hour grace window)” banner. That gives you time to update your host pages' userHash generation to use the new value before the old one stops working — there's no coordinated cutover required, and visitors who are mid-conversation are not disconnected.
Good to know
- The secret is never shown in full after creation. The card always displays it masked; the only time you see the plaintext is the one-time reveal right after rotating.
- Compute the userHash on your server, never in the browser. Exposing the secret in client-side code would let anyone forge an identity.
- Rotation can't be undone. There's no “un-rotate” — once you mint a new secret the old one is on its 24-hour countdown.
- See the Embedding tab for the optional identify snippet you copy into your host page, and the single-page-app update snippet for route changes.