Problem
Widget identity has two very different trust modes: unverified inline email capture and verified customer-signed identity. The product should make this distinction explicit and give admins a safe path to enable verified identity without relying on implementation details.
Proposed solution
Add a setup wizard for verified widget identity that includes:
- Clear explanation of unverified capture versus verified SSO.
- Server-side signing examples for Node, Ruby, Python, PHP, Go, and curl.
- A token tester that verifies sub, email, exp, and optional attributes.
- Host-domain and origin allowlists for widget embedding.
- A setting that blocks inline unverified capture when verified identity is required.
- Secret rotation with overlapping old/new secret support.
Acceptance criteria
- Admins can enable verified identity from a guided UI.
- The UI provides copy-paste backend signing examples.
- Admins can test a token and see exactly which claims Quackback accepts.
- Widget embedding can be restricted by allowed origins.
- Widget secret rotation supports a safe transition window.
- Documentation states that verified tokens must be minted by the customer backend, not by browser code.
Problem
Widget identity has two very different trust modes: unverified inline email capture and verified customer-signed identity. The product should make this distinction explicit and give admins a safe path to enable verified identity without relying on implementation details.
Proposed solution
Add a setup wizard for verified widget identity that includes:
Acceptance criteria