[Solved] WordPress Plugin (Error 400): Missing "Hashed" API Token if "Secure Mode" is enabled.

StevenWillett · November 11, 2024, 7:50am

Hi,

Anyone using the Tawk.To WordPress plugin with “Secure Mode” enabled in their dashboard on the Tawk.To website is currently seeing the WordPress plugin throw a constant 400 error in the browsers console log.

Simply put, the plugin is not hashing the API_TOKEN when its being passed to the API from the Plugin it seems.

Online solutions for those directly interacting with the API have resolved this by simply hashing the value like so: hash_hmac("sha256","admin_email@domain.com","AI_TOKEN_KEY");

This needs resolving as all chats are otherwise are potentially (very likely) insecure until this is resolved if the widget loads at all for users.

kristaps · January 30, 2025, 12:10pm

Hi @StevenWillett,

Thanks for bringing this to our attention.

We’ve released Tawk.to WordPress Plugin version 0.9.0, which includes support for Secure Mode. If Secure Mode is enabled and visitor recognition is turned on, make sure to add your JS API Key in the plugin settings. This will ensure the widget loads correctly and resolves the 400 error in the browser console.

If you’re still experiencing issues after updating, please let us know.

Best regards,
Kristaps, and the tawk.to team

kristaps · January 30, 2025, 12:11pm

[Solved] WordPress Plugin (Error 400): Missing "Hashed" API Token if "Secure Mode" is enabled.

Explore our products