Using secret keys protects your respondents from being impersonated by third parties in surveys with "Logged-in users" targeting. We recommend enabling this feature to secure your users' data.
How does it work?
When secret keys are enforced, Survicate validates a server-side generated HMAC (Hash-based Message Authentication Code) for each logged-in user.
This prevents one user from impersonating another and answering surveys as somebody else.
What Are Secret Keys and User Keys?
User ID – the unique public identifier of your user. It can be in any form: name, number, email — as long as they’re unique.
Secret Key – a private key securely stored in your backend. It's used to generate a secure signature that confirms the user's identity before the survey is shown.
User Key (HMAC) – a secure hash generated by applying HMAC‑SHA256 to the User ID, using your Secret Key as the cryptographic key. It ensures that the user identity is authentic.
Set up
1. Navigate to Settings -> Access Keys -> Secret Key and create a new secret key
❗ Please keep in mind that the secret key is confidential. Never share it publicly, expose it in frontend code (including mobile apps), or store it in unsecured locations. It should always be kept safe on the server side.
2. Copy your Secret Key - you’ll use it to generate HMAC signatures.
3. For each logged-in user, generate a User Key (HMAC) by hashing the user’s ID with your Secret Key using a cryptographic hashing function or library of your choice.
4. Everywhere you pass user data to Survicate (for example, in your website script or SDK integration), include both the user ID and the generated User Key.
_sva.setVisitorTraits({
user_id: "Your user ID here",
user_key: "HMAC(user_id, secret_key)"
})
5. You can enforce secret keys by toggling on the option "Enforce secret keys for logged-in user targeting".
❗ Although it's not obligatory, we strongly recommend keeping this feature enforced to protect your users and ensure trustworthy data collection.
Troubleshooting
Survey not displaying for logged-in users:
Check that your backend is generating the HMAC signature correctly and that you’re passing both user_id and user_key in the traits.
What happens if the user key is missing and the secret key is enforced?
Without user_key, the user isn't verified, backend targeting isn't triggered, and no survey is shown.
📞 If you have any questions or need help with your survey, feel free to reach out to our team at support@survicate.com or strike up a chat conversation!