Gigya Job Openings

Integrating 3rd party plugins using login events

Skip to end of metadata
Go to start of metadata



It often becomes necessary to verify the authenticity of user data returned by Gigya's servers to ensure that the data has not been tampered with via malicious client-side scripts or other factors. This is usually a very straightforward practice, as explained in our security guidelines. However, this process requires access to the site's secret key, which 3rd party providers do not have access to. The socialize.exchangeUIDSignature API method was created for this purpose; to allow 3rd party providers to request that user data be re-signed by Gigya using an application key and secret to which they have access, allowing them to verify the authenticity of the data and ensure it has not been tampered with.

Application Keys

Third-party applications need to send their application key along with any request to Gigya's servers. Application keys and secrets are generated in the Gigya console. See Console Administration for more information.


The basic workflow for a 3rd party provider to validate a UID is a follows:

  1. A website presents a user with a login UI (e.g., socialize.showLoginUI) from which the user logs in to the site.
  2. Upon successful login, Gigya returns a User object containing, amongst other things, the user's UID.
  3. The 3rd party provider, having registered for the onLogin event on the client-side (see code example below) gets the User object, but has no way of verifying its authenticity because the UID signature was created using the site secret, which the provider does not have access to.
  4. The 3rd party provider uses the socialize.exchangeUIDSignature  REST API to send the current UID, UID signature and signature timestamp to Gigya to be re-signed using the provider's application key.
  5. Gigya re-signs the data using the provider's application key.
  6. The 3rd party provider can now verify the authenticity of the UID using their application secret.

Code Example


<!DOCTYPE html>
<html xmlns="">

    <!-- gigya.js script should only be included once -->
    <!-- If running this code on your own system, make sure to replace the API key with your own -->
    <script type="text/javascript" src="">
    * This function is registered as the event handler and called once login is complete.
    * @param {object} usr The user object passed back from Gigya upon successful login
    function loggedIn(usr) {     

        var msgText = 'Welcome ' + usr.user.firstName + ' ' + usr.user.lastName + '.<br/>If you can see this, login was successful!';
        msgText += '<br/>Your UID is: ' + usr.user.UID;
        msgText += '<br/>Your UIDSignature is:' + usr.user.UIDSignature;
        msgText += '<br/>Timestamp is:' + usr.user.signatureTimestamp;
        document.getElementById('successDiv').innerHTML = msgText;

        /* The handlerPageURL is the page on the back-end that will take the info from the user
         * object, send it to be re-signed using the application key, then verify the new signature using
         * the application secret.
         * When modifying this url to reflect your own environment, make sure the parameters remain the same.

        var handlerPageURL = 'http://localhost:2372/handlerPage.php?UID=' + encodeURIComponent(usr.user.UID) + '&UIDSignature='
                             + encodeURIComponent(usr.user.UIDSignature) + '&signatureTimestamp=' + usr.user.signatureTimestamp;
        document.getElementById("thirdParty").src = handlerPageURL;
        onLogin: loggedIn

    Hello everybody. Gigya is awesome!


    <input id="myBtn" type="submit" value="Click me to start login" onclick="showUI()" />

        function showUI() {
            var params = {
                version: 2,
                width: '200px',
                enabledProviders: 'facebook, linkedin, twitter'

    <br/><br/><br/><br /><br /><br /><br /><br /><br />

    <div id="successDiv">Not Logged In Yet!</div>

    <br/><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />

<!-- This is the iframe containing our 3rd party plugin -->
<iframe id="thirdParty" src=""></iframe>





// Include Gigya's PHP SDK.

* Setting up our constants
* @const APIKEY The sites API key.
* @const APPKEY The application-specific key issued to the 3rd party provider.
* @const APPSECRET The secret key issued to the 3rd party provider.
* The APPKEY and APPSECRET are used for generating and verifying the signature.

const APIKEY = '3_LjdQE99IUyS2dBlbYJ7tPKb_HtPk-s5HbptF45CNR6d0wI7BE54wHgH7Vyqdyinq';
const APPKEY = 'AMoghLvpkP0c';
const APPSECRET = 'DUsrX01RNDweF6hWkIbrO79BQdj2EeHK';

* Getting the data passed to our page, which contains the original signature. We can't verify this signature because
* it's signed using the partner secret, which the 3rd party provider doesn't have access to.
* @var {string} uid The UID passed to the page.
* @var {string} uidSignature The UID Signature passed to the page.
* @var {string} signatureTimestamp The timestamp associated with the UID Signature passed to the page.

$uid = urldecode($_REQUEST["UID"]);
$uidSignature = urldecode($_REQUEST["UIDSignature"]);
$signatureTimestamp = $_REQUEST["signatureTimestamp"];

$method = "socialize.exchangeUIDSignature";

$request->setParam("uid", $uid);
$request->setParam("uidSignature", $uidSignature);
$request->setParam("signatureTimestamp", $signatureTimestamp);
$request->setParam("userKey", APPKEY);

// Send the current signature to Gigya to be re-signed using our 3rd party app info.
$response = $request->send();

// Check to see if Gigya returned a valid response.
if ($response->getErrorCode()==0)
    // No error. Let's verify the authenticity of the UID.
    $isValid = SigUtils::validateUserSignature($response->getString("UID",""), $response->getString("signatureTimestamp",""), APPSECRET, $response->getString("UIDSignature",""));
        if ($isValid){
        // The UID is valid and hasn't been tampered with. Do something useful with the data
        echo "3rd Party Provider <br/> UID Validated <br/>" ;
        echo "The new UIDSignature is: ".$response->getString("UIDSignature","");
        // Something isn't right. The UID may be forged or otherwise tampered with.
        echo "HELP! UID Not Validated!" ;
    // Something went wrong
    echo "Uh oh, exchangeUIDSignature returned an error";
    echo "<br/>";
    echo $response;