Stateless (Keyless) SSO

Security Warning!

Unlike Stateless SSO, Stateless (Keyless) SSO does not validate the user data sent by the client. You should only use this method if:

  • You do not have access to your website's back-end.
  • Your authentication provider uses secure random user IDs (ex: UUID) and keeps them private. (if user IDs are compromised, an attacker can use them to impersonate someone else in the comments section).

If your authentication provider supports it, consider using OpenID Connect SSO instead.

Stateless (Keyless) SSO works the same way as Stateless SSO except that it does not require sso-hash.



In the front-end, you have to set the sso-user attribute to a JSON-encoded base-64 encoded object. Here is a Javascript example.

const comments = document.querySelector('hyvor-talk-comments');

comments.setAttribute('sso-user', JSON.stringify({

    timestamp: Math.floor( / 1000),

    id: 'user-id',
    name: 'user-name',
    email: 'user-email',
    picture_url: 'user-picture-url',
    website_url: 'user-website-url',


You can see the user object definition here.