Script tag
Install the widget with one script.
Paste this before </body>:
<script
src="https://assistify.chat/widget/widget.js"
data-widget-id="WIDGET_ID"
async
></script>Find your widget ID in the dashboard under Widget → Settings → Credentials.
Pre-fill visitor identity
<script
src="https://assistify.chat/widget/widget.js"
data-widget-id="WIDGET_ID"
data-user-email="[email protected]"
data-user-name="Jane Doe"
data-user-hash="HMAC_SHA256"
async
></script>Boot-time identity requires data-user-hash. Without it the backend ignores the identity and the session starts anonymous (the widget logs a console warning). To record an unverified identity instead, call window.Assistify.identify(...) after boot. See Identity verification.
| Attribute | |
|---|---|
data-user-email | |
data-user-external-id | Your system's user ID |
data-user-name | Display name |
data-user-avatar | Avatar URL |
data-user-discord-id | Discord ID |
data-user-discord-username | Discord username |
data-user-discord-avatar | Discord avatar |
data-user-hash | HMAC signature |
CMS-friendly install
When your host strips data-* attributes (Shopify Liquid, Webflow, Squarespace), set the configuration on window instead:
<script>
window.ASSISTIFY_CONFIG = { widgetId: 'WIDGET_ID' };
window.ASSISTIFY_USER = {
email: '[email protected]',
userHash: 'HMAC_SHA256_OF_EMAIL',
};
</script>
<script src="https://assistify.chat/widget/widget.js" async></script>Set both globals before the widget script tag, so they already exist when the loader reads them. Boot identity follows the same rule as the attributes: without userHash it is ignored.
Control the widget from code
Once the loader runs, the runtime is reachable at window.Assistify:
window.Assistify.identify({ email: '[email protected]', userHash: '...' });
window.Assistify.open();
window.Assistify.on('identified', ({ verified }) => console.log({ verified }));Calls placed after the loader runs but before the runtime boots are queued and replayed. See JavaScript API for the complete method list.
Logout
window.Assistify.reset();reset() clears the session server-side and locally, including any identity attributes the loader left on the page. The next boot is anonymous. See JavaScript API → reset().
Defer the loader
The script tag injects the runtime immediately. To gate it behind consent, a feature flag or anything in general : use the Assistify SDK and pass autoload: false: the loader script stays off the page until you call widget.load() or any other boot-triggering method (chat.open(), chat.close(), chat.toggle()).
Content Security Policy
script-src https://assistify.chat;
connect-src https://assistify.chat wss://assistify.chat;
img-src https://assistify.chat https://api.cloud.anewvision.fr https://cdn.discordapp.com https://lh3.googleusercontent.com https://icons.duckduckgo.com https://i.ytimg.com https://cdn-cf-east.streamable.com data: blob:;
style-src 'unsafe-inline' https://assistify.chat;
font-src https://assistify.chat;
media-src https://assistify.chat;
frame-src https://www.youtube-nocookie.com https://streamable.com;
What each addition covers:
img-src https://api.cloud.anewvision.frcovers message attachments, agent/visitor avatars and uploaded widget assets, which are served from Assistify's file storage.img-src blob:covers images the widget renders through object URLs (for example freshly captured uploads before they are persisted).img-src https://cdn.discordapp.comcovers avatars of visitors who arrive via Discord.img-src https://lh3.googleusercontent.comcovers agent avatars synced from a Google login.img-src https://icons.duckduckgo.comcovers the favicon shown next to links inside chat.img-src https://i.ytimg.com https://cdn-cf-east.streamable.comcovers the thumbnail of a shared video before a visitor clicks play.style-src 'unsafe-inline'is required: the widget renders inside its own iframes and injects its stylesheet there, and those frames inherit your page's policy (Intercom and Crisp require the same directive for the same reason).style-src https://assistify.chatandfont-srccover the custom-font option, which loads its stylesheet and font files through the Assistify font proxy (no visitor request ever goes to Google).media-srccovers notification sounds.frame-src https://www.youtube-nocookie.com https://streamable.comcovers the inline player that opens when a visitor clicks a shared video.
Tell your visitors
Your privacy policy should mention the chat. See Visitor recognition → Your privacy policy for the two notices to link.