Implementing User Verification

Get your shared secret

First, retrieve your shared secret, which is used to securely sign the user data in the payload.

1. Open the global settings by clicking Settings in the top-right corner of the Released overview page.

2. Go to the User verification section.

3. Copy your Shared Secret – you will use this to generate authentication tokens.

Generate an authentication token on your server

Next, generate an encrypted AUTH_TOKEN on your server to securely identify the user.

Send a POST request to the Released token API with your ACCOUNT_ID and the CURRENT_USER_EMAIL. The API responds with an AUTH_TOKEN for that user.

Include this token whenever you embed or load your Released portal. Tokens are valid for seven days; after that, you must generate a new token.

The CURRENT_USER_ID will be used to identify the user in Released. Make sure that this is a unique identifier for each user in your system. User profiles in Released will use this identifier to match users.

Profile information

You can provide optional profile information in the request body to customize the user profile in Released.

{
  "account_id": "ACCOUNT_ID",
  "user_id": "CURRENT_USER_ID",
  "user_email": "CURRENT_USER_EMAIL",
  "profile": {
    "name": "The display name",
    "avatar_url": "https://example.com/avatar.png"
  }
}

Request body requirements

• user_id must be unique for each user in your system. The ID cannot be empty but cannot exceed 255 characters. It must match the following regular expression: ^[a-zA-Z0-9:_-]{1,255}$.

• user_email must be the email address of the user.

• (optional) profile.name must be a string with a maximum length of 200 characters if the field is provided.

• (optional) profile.avatar_url must be a valid URL if the field is provided.

Example request (Node.js)

const response = await fetch("https://accounts.releasedhub.com/auth/api/impersonation/token", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "Authorization": "Bearer SHARED_SECRET" // Your shared secret
  },
  body: JSON.stringify({
    account_id: "ACCOUNT_ID", // Your Released Account ID 
    user_id: "CURRENT_USER_ID", // ID of the current authenticated user
    user_email: "CURRENT_USER_EMAIL" // Email of the current authenticated user 
    profile: {
      name: "The display name", // The display name of the user
      avatar_url: "https://example.com/avatar.png" // The avatar URL of a user profile picture
    }
  }),
});

const json = await response.json();
console.log(json);

You can find the SHARED_SECRET and ACCOUNT_ID values in the User verification settings in Released. The CURRENT_USER_EMAIL value should be filled in dynamically using the details of the authenticated user in your app or site.

Pass the authentication token with the embed tag

Once you’ve generated the token, include it when embedding your portal. It’s valid for 2 minutes and is exchanged for a 7‑day session.

<released-page auth-token="AUTH_TOKEN"></released-page>