Script tag

Install the widget with one script.

Paste this before </body>:

<script
  src="https://assistify.chat/widget/widget.js"
  data-widget-id="WIDGET_ID"
  async
></script>

Find your widget ID in the dashboard under Widget → Settings → Credentials.

Pre-fill visitor identity

<script
  src="https://assistify.chat/widget/widget.js"
  data-widget-id="WIDGET_ID"
  data-user-email="[email protected]"
  data-user-name="Jane Doe"
  data-user-hash="HMAC_SHA256"
  async
></script>

Boot-time identity requires data-user-hash. Without it the backend ignores the identity and the session starts anonymous (the widget logs a console warning). To record an unverified identity instead, call window.Assistify.identify(...) after boot. See Identity verification.

Attribute
data-user-emailEmail
data-user-external-idYour system's user ID
data-user-nameDisplay name
data-user-avatarAvatar URL
data-user-discord-idDiscord ID
data-user-discord-usernameDiscord username
data-user-discord-avatarDiscord avatar
data-user-hashHMAC signature

CMS-friendly install

When your host strips data-* attributes (Shopify Liquid, Webflow, Squarespace), set the configuration on window instead:

<script>
  window.ASSISTIFY_CONFIG = { widgetId: 'WIDGET_ID' };
  window.ASSISTIFY_USER = {
    email:    '[email protected]',
    userHash: 'HMAC_SHA256_OF_EMAIL',
  };
</script>
<script src="https://assistify.chat/widget/widget.js" async></script>

Set both globals before the widget script tag, so they already exist when the loader reads them. Boot identity follows the same rule as the attributes: without userHash it is ignored.

Control the widget from code

Once the loader runs, the runtime is reachable at window.Assistify:

window.Assistify.identify({ email: '[email protected]', userHash: '...' });
window.Assistify.open();
window.Assistify.on('identified', ({ verified }) => console.log({ verified }));

Calls placed after the loader runs but before the runtime boots are queued and replayed. See JavaScript API for the complete method list.

Logout

window.Assistify.reset();

reset() clears the session server-side and locally, including any identity attributes the loader left on the page. The next boot is anonymous. See JavaScript API → reset().

Defer the loader

The script tag injects the runtime immediately. To gate it behind consent, a feature flag or anything in general : use the Assistify SDK and pass autoload: false: the loader script stays off the page until you call widget.load() or any other boot-triggering method (chat.open(), chat.close(), chat.toggle()).

Content Security Policy

script-src  https://assistify.chat;
connect-src https://assistify.chat wss://assistify.chat;
img-src     https://assistify.chat https://api.cloud.anewvision.fr https://cdn.discordapp.com https://lh3.googleusercontent.com https://icons.duckduckgo.com https://i.ytimg.com https://cdn-cf-east.streamable.com data: blob:;
style-src   'unsafe-inline' https://assistify.chat;
font-src    https://assistify.chat;
media-src   https://assistify.chat;
frame-src   https://www.youtube-nocookie.com https://streamable.com;

What each addition covers:

  • img-src https://api.cloud.anewvision.fr covers message attachments, agent/visitor avatars and uploaded widget assets, which are served from Assistify's file storage.
  • img-src blob: covers images the widget renders through object URLs (for example freshly captured uploads before they are persisted).
  • img-src https://cdn.discordapp.com covers avatars of visitors who arrive via Discord.
  • img-src https://lh3.googleusercontent.com covers agent avatars synced from a Google login.
  • img-src https://icons.duckduckgo.com covers the favicon shown next to links inside chat.
  • img-src https://i.ytimg.com https://cdn-cf-east.streamable.com covers the thumbnail of a shared video before a visitor clicks play.
  • style-src 'unsafe-inline' is required: the widget renders inside its own iframes and injects its stylesheet there, and those frames inherit your page's policy (Intercom and Crisp require the same directive for the same reason).
  • style-src https://assistify.chat and font-src cover the custom-font option, which loads its stylesheet and font files through the Assistify font proxy (no visitor request ever goes to Google).
  • media-src covers notification sounds.
  • frame-src https://www.youtube-nocookie.com https://streamable.com covers the inline player that opens when a visitor clicks a shared video.

Tell your visitors

Your privacy policy should mention the chat. See Visitor recognition → Your privacy policy for the two notices to link.