docs/platform/inbox/prepare-for-production.mdx
Before deploying the Inbox UI to production, you should secure your integration and configure the correct environment. You can also remove Novu's branding from your notifications.
This ensures that your end users receive notifications safely, without exposure to unnecessary risks, and in a way that aligns with your product branding.
Novu supports multiple environments, including development, production, and any custom environments you create.
When preparing for deployment, choose the environment that will serve as your production environment and update your configuration accordingly:
Use the API keys for your selected production environment from the API Keys page in your application.
Store keys in .env file or your server’s environment variables.
Confirm your applicationIdentifier and subscriber match the configuration for your chosen production environment.
Add these two props, if using the EU region:
apiUrl with value https://eu.api.novu.cosocketUrl with value wss://eu.socket.novu.coWhen you add the Inbox to your application, you're required to pass:
subscriberId: Identifies the current subscriber.applicationIdentifier: A public key to communicate with the notification feed API.You can prevent this by enabling HMAC (Hash-based Message Authentication Code) encryption. This process uses a secret key to create a secure signature (subscriberHash) for each subscriberId. Novu verifies this hash to authenticate feed requests and to authorize updates to subscriber profile fields (firstName, email, locale, data, and so on) passed via the subscriber prop. Without subscriberHash, new subscribers are created with those fields, but existing profiles are not updated.
Follow these steps to enable HMAC encryption.
Activate the HMAC security feature within your Novu in-app provider settings.
Security HMAC encryption toggle in Integration Credentials section.
Next, use your secret key from the API Keys page on the Novu dashboard to generate an HMAC-SHA256 hash of the subscriberId on the server side.
The hash is computed as HMAC-SHA256(secretKey, subscriberId) and returned as a lowercase hex string.
// The subscriberId of the logged-in user const subscriberId = 'REPLACE_WITH_SUBSCRIBER_ID';
// The secret key from your Novu API Keys page const novuSecretKey = process.env.NOVU_SECRET_KEY;
// Generate the HMAC hash const subscriberHash = createHmac('sha256', novuSecretKey) .update(subscriberId) .digest('hex');
</Tab>
<Tab title="Python">
```python title="utils/hmac_hash.py"
import hashlib
import hmac
import os
# The subscriberId of the logged-in user
subscriber_id = 'REPLACE_WITH_SUBSCRIBER_ID'
# The secret key from your Novu API Keys page
novu_secret_key = os.environ['NOVU_SECRET_KEY']
# Generate the HMAC hash
subscriber_hash = hmac.new(
novu_secret_key.encode('utf-8'),
subscriber_id.encode('utf-8'),
hashlib.sha256
).hexdigest()
// The subscriberId of the logged-in user subscriberID := "REPLACE_WITH_SUBSCRIBER_ID"
// The secret key from your Novu API Keys page novuSecretKey := os.Getenv("NOVU_SECRET_KEY")
mac := hmac.New(sha256.New, []byte(novuSecretKey)) mac.Write([]byte(subscriberID)) subscriberHash := hex.EncodeToString(mac.Sum(nil))
</Tab>
<Tab title="PHP">
```php title="utils/hmac-hash.php"
<?php
// The subscriberId of the logged-in user
$subscriberId = 'REPLACE_WITH_SUBSCRIBER_ID';
// The secret key from your Novu API Keys page
$novuSecretKey = getenv('NOVU_SECRET_KEY');
// Generate the HMAC hash
$subscriberHash = hash_hmac('sha256', $subscriberId, $novuSecretKey);
subscriber_id = 'REPLACE_WITH_SUBSCRIBER_ID'
novu_secret_key = ENV['NOVU_SECRET_KEY']
subscriber_hash = OpenSSL::HMAC.hexdigest('SHA256', novu_secret_key, subscriber_id)
</Tab>
<Tab title="Java">
```java title="utils/HmacHash.java"
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
public class HmacHash {
public static String getSubscriberHash(String subscriberId, String novuSecretKey) throws Exception {
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(new SecretKeySpec(novuSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
byte[] hash = mac.doFinal(subscriberId.getBytes(StandardCharsets.UTF_8));
return String.format("%064x", new BigInteger(1, hash));
}
}
// The subscriberId of the logged-in user string subscriberId = "REPLACE_WITH_SUBSCRIBER_ID";
// The secret key from your Novu API Keys page string novuSecretKey = Environment.GetEnvironmentVariable("NOVU_SECRET_KEY");
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(novuSecretKey)); byte[] hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(subscriberId)); string subscriberHash = BitConverter.ToString(hash).Replace("-", "").ToLower();
</Tab>
</Tabs>
#### With context
If you use [Inbox with context](/platform/inbox/configuration/inbox-with-context), also generate a hash for the context object. Context must be serialized as canonical JSON ([RFC-8259](https://datatracker.ietf.org/doc/html/rfc8259)) so key order and whitespace do not affect the hash.
```tsx title="utils/hmac-hash.ts"
import { createHmac } from 'crypto';
import { canonicalize } from '@tufjs/canonical-json';
// The subscriberId of the logged-in user
const subscriberId = 'REPLACE_WITH_SUBSCRIBER_ID';
// The secret key from your Novu API Keys page
const novuSecretKey = process.env.NOVU_SECRET_KEY;
// Generate the subscriber hash
const subscriberHash = createHmac('sha256', novuSecretKey)
.update(subscriberId)
.digest('hex');
const context = {
tenant: {
id: "acme-corp",
data: {
name: "Acme Corporation",
plan: "enterprise",
},
},
};
// Generate the context hash
const contextHash = createHmac('sha256', novuSecretKey)
.update(canonicalize(context))
.digest('hex');
Send the hmacHash generated in the previous step to the client side application. You can include it in the initial data payload when a subscriber or user logs in or fetch it from a dedicated API endpoint.
Pass the hash to the subscriberHash prop in your Inbox component.
// Example: The hmacHash is passed to the frontend // as part of the user object after they authenticate.
const { user } = currentUser(); const hmacHash = user?.novuSubscriberHash;
<Inbox applicationIdentifier="YOUR_APPLICATION_IDENTIFIER" subscriber={{ subscriberId: user.id, firstName: user.firstName, email: user.email, locale: user.locale, }} subscriberHash={hmacHash} />;
</Tab>
<Tab title="With Context">
```tsx title="components/InboxWithSubscriberAndContextHashes.tsx"
import { Inbox } from '@novu/react';
const { user } = currentUser();
const subscriberHash = user?.novuSubscriberHash;
const contextHash = user?.novuContextHash;
const context = {
tenant: {
id: "acme-corp",
data: {
name: "Acme Corporation",
plan: "enterprise",
},
},
};
<Inbox
applicationIdentifier="YOUR_APPLICATION_IDENTIFIER"
subscriber="YOUR_SUBSCRIBER_ID"
subscriberHash={subscriberHash}
context={context}
contextHash={contextHash}
/>
Users on a paid plan can remove the Novu branding from the Inbox UI and Emails.
<Note> Novu branding appears on Inbox UI, emails and [agents](/agents) messages. It does not change the content of SMS, push, or chat messages. </Note>To remove the branding:
If you see this toggle disabled, confirm that your organization is on a paid plan. This toggle is disabled on the free plan.