DocumentationNovu Documentation
PlatformGuidesFrameworkCommunityAPI Reference
Sign InSign Up

GitHubnovuhq/novu

37.1K

Production Setup for React

Learn how to prepare your React notification inbox for production deployment including HMAC encryption and security best practices.

HMAC Encryption

When Novu's user adds the Inbox to their application they are required to pass a subscriberId which identifies the user's end-customer, and the application Identifier which is acted as a public key to communicate with the notification feed API.

A malicious actor can access the user feed by accessing the API and passing another subscriberId using the public application identifier.

HMAC encryption will make sure that a subscriberId is encrypted using the secret API key, and those will prevent malicious actors from impersonating users.

Enabling HMAC Encryption

In order to enable Hash-Based Message Authentication Codes, you need to visit the admin panel In-App settings page and enable HMAC encryption for your environment.

  1. Next step would be to generate an HMAC encrypted subscriberId on your backend:
import { createHmac } from 'crypto';
 
const hmacHash = createHmac('sha256', process.env.NOVU_SECRET_KEY)
  .update(subscriberId)
  .digest('hex');
  1. Then pass the created HMAC to your client side application forward it to the component:
import { Inbox } from '@novu/react';
 
<Inbox
  applicationIdentifier="YOUR_APPLICATION_IDENTIFIER"
  subscriber="YOUR_SUBSCRIBER_ID"
  subscriberHash="YOUR_SUBSCRIBER_ID_HASH_VALUE"
/>;

If HMAC encryption is active in In-App provider settings and subscriberHash along with subscriberId is not provided, then Inbox will not load

Hooks

Learn how to build a custom notifications UI using React hooks powered by Novu

Migration Guide

This guide outlines the key differences between the `@novu/notification-center` package and the new `@novu/react` package. Follow the steps below to migrate your application to the latest version.

On this page

Edit this page on GitHub