WordPress Plugin (Error 400): Missing "Hashed" API Token if "Secure Mode" is enabled.

Hi,

Anyone using the Tawk.To WordPress plugin with “Secure Mode” enabled in their dashboard on the Tawk.To website is currently seeing the WordPress plugin throw a constant 400 error in the browsers console log.

Simply put, the plugin is not hashing the API_TOKEN when its being passed to the API from the Plugin it seems.

Online solutions for those directly interacting with the API have resolved this by simply hashing the value like so: hash_hmac("sha256","admin_email@domain.com","AI_TOKEN_KEY");

This needs resolving as all chats are otherwise are potentially (very likely) insecure until this is resolved if the widget loads at all for users.

Hello!
If you’re using the Tawk.To WordPress plugin with “Secure Mode” enabled, you might encounter a 400 error in the browser’s console log. This issue arises because the plugin doesn’t hash the API_TOKEN before passing it to the API. To resolve this, log in to your Tawk.To account, enable “Secure Mode” in the Administration panel, and copy your API key from the JavaScript API section. Use the following code to hash the API_TOKEN:

javascript
var hash = CryptoJS.HmacSHA256(“your-api-token”, “your-secret-key”);
var hashedToken = CryptoJS.enc.Hex.stringify(hash);