Articles on: Developers

How to automatically set users email addresses

Learn how to set an authenticated visitor email address from your website code.


When your website already knows the visitor email, you can pass it to Crisp so the customer does not need to type it again before starting a conversation.



Set the visitor email


Use the $crisp JavaScript SDK after the Crisp chatbox snippet is available on the page.


// Replace this value with the email from your own authenticated user data.
$crisp.push(["set", "user:email", ["user@example.com"]]);


Crisp expects a valid email address. If the value is invalid, the SDK may raise an error unless safe mode is enabled.



Example with PHP


When injecting the email from a backend template, escape it safely before printing it into JavaScript.


<script>
$crisp.push(["set", "user:email", [<?php echo json_encode($user_email); ?>]]);
</script>


This example assumes $user_email contains the authenticated user email.



Read the current email


You can read the visitor email from the SDK with:


var visitorEmail = $crisp.get("user:email");


Read the $crisp Methods documentation for more user setters and getters.



Verifying the email with a signed hash


To mark the visitor email as verified, pass a signed HMAC-SHA256 hash as the second argument. This prevents visitors from impersonating other users.


$crisp.push(["set", "user:email", ["user@example.com", "<hmac-sha256-hash>"]]);


The hash is computed server-side using your email secret key (available in your Crisp settings) and the visitor email as the message. Example using CryptoJS:


var hash = CryptoJS.HmacSHA256("user@example.com", emailSecret).toString();
$crisp.push(["set", "user:email", ["user@example.com", hash]]);


When the hash is valid, a green verified badge appears next to the email in the conversation.


Important edge cases:

  • If an email was already pushed to a conversation without a valid hash, it cannot be directly re-verified in that same conversation. Push a different (placeholder) email first, then push the correct email with its signed hash.
  • The email secret key can be regenerated from your Crisp settings at any time if it is compromised.



Verifying the email with a signed hash


To mark the visitor email as verified, pass a signed HMAC-SHA256 hash as the second argument. This prevents visitors from impersonating other users.


$crisp.push(["set", "user:email", ["user@example.com", "<hmac-sha256-hash>"]]);


The hash is computed server-side using your email secret key (available in your Crisp settings) and the visitor email as the message. Example using CryptoJS:


var hash = CryptoJS.HmacSHA256("user@example.com", emailSecret).toString();
$crisp.push(["set", "user:email", ["user@example.com", hash]]);


When the hash is valid, a green verified badge appears next to the email in the conversation.


Important edge cases:

  • If an email was already pushed to a conversation without a valid hash, it cannot be directly re-verified in that same conversation. Push a different (placeholder) email first, then push the correct email with its signed hash.
  • The email secret key can be regenerated from your Crisp settings at any time if it is compromised.

Updated on: 05/07/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!