Built for the teams building Shopify apps.
Paste two lines and ship. A $crisp-compatible SDK so migrating is
copy-paste. HMAC identity verification so you always know which merchant you're
talking to. Nine signed webhooks and a REST API to wire Convot into anything.
<script>
window.Convot = app_id: "your_app_key" ;
</script>
<script async src="https://widget.convot.io/v1/loader.js"></script>
<script>
Convot.push(["set", "user:email", "[email protected]"]);
Convot.push(["set", "user:nickname", "Merchant Name"]);
Convot.push(["set", "session:data",
shop: "merchant.myshopify.com",
plan: "Pro",
]);
</script>Every integration primitive you need, nothing you don't.
Designed from the ground up for Shopify app developers, CORS-allowed for *.myshopify.com, identity built in.
One-line embed
Drop two script tags into your Shopify app's <head> and
you're live. Sandboxed iframe, smart sizing, zero dependencies, it cannot
break your page.
$crisp-compatible SDK
Convot.push(["set", ...]) mirrors the Crisp SDK exactly,
user email/nickname/avatar/company, session data, segments, and events.
Migrate without rewriting a line of host-page code.
HMAC identity verification
Sign the visitor's identity server-side with your app's secret key.
Enable require_identity_verification and Convot rejects
any unverified session, no spoofing, no shared-device leakage.
9 signed webhooks
Every event you need: message sent/received/deleted, conversation
created/assigned/resolved/reopened, contact created/identified.
Each delivery signed with a per-webhook whsec_ HMAC you verify
server-side.
REST API
Full programmatic access: read contacts, send messages, manage conversations, and pull reports, built on 60-day JWT bearer tokens that work in SPAs and iframe contexts without cookies.
Session data, segments & events
Push custom key/values (session:data), tag contacts with
segments, and fire timeline events, all visible in the agent sidebar so
your team sees context before they reply.
Cryptographically prove who you're talking to.
Compute the HMAC server-side so the secret never leaves your backend. Enable enforcement in one toggle and Convot rejects unsigned sessions.
# Generate the user_hash on your backend before rendering the page
require "openssl"
identity_secret = ENV["CONVOT_IDENTITY_SECRET"] # from app settings
user_email = current_shopify_session.email
user_hash = OpenSSL::HMAC.hexdigest(
"SHA256",
identity_secret,
user_email
)
# Pass user_hash to the frontend and set it in the SDK
# Convot.push(["set", "user:email", user_email]);
# Convot.push(["set", "session:user_hash", user_hash]);// Generate the user_hash on your backend before rendering the page
import createHmac from "crypto";
const identitySecret = process.env.CONVOT_IDENTITY_SECRET; // from app settings
const userEmail = session.shopifyEmail;
const userHash = createHmac("sha256", identitySecret)
.update(userEmail)
.digest("hex");
// Pass userHash to the frontend and set it in the SDK
// Convot.push(["set", "user:email", userEmail]);
// Convot.push(["set", "session:user_hash", userHash]);The widget knows which merchant it's talking to, so does the revenue brain.
When you pass a shop domain via session:data (or our
signed shop hash), Convot links the contact to your Shopify Partner sync.
Revenue, plan, and churn risk appear in the agent sidebar automatically.
No extra API calls from your app required.
Also worth knowing
Integrations
Shopify Partner API, Google Meet, Postmark, Cloudflare custom domains, and Zapier-compatible webhooks.
See integrations →Live chat & widget
The widget you embed, appearance, behavior, section toggles, and away states.
See live chat →Revenue intelligence
What merchants look like to agents when the widget identifies them via your SDK call.
Explore revenue →Embed Convot in your Shopify app today.
Start free, no credit card. Two lines of code, live in minutes.