# Identify customers
Attach Plandalf checkout sessions to logged-in users with email identity or signed JWT identity.
Source: /docs/sdk/identity
Last modified: 2026-06-18
Identity lets Plandalf link purchases, resume sessions, and evaluate customer-aware gates.

## Email identity

For low-risk flows, identify with an email.

```js
plandalf.identify("jane@example.com");
plandalf.reset();
```


  Email identity is not signed. A visitor with console access can call `identify("someone@example.com")`. Use a signed JWT when paid access or account ownership matters.


## Signed JWT identity

Sign a short-lived JWT on your server and pass it to `identify()`.

```js
plandalf.ready((sdk) => {
  sdk.identify(userJwt);
});
```

JWT payload:

```json
{
  "sub": "usr_123",
  "email": "jane@example.com",
  "name": "Jane Example",
  "subscription": "sub_123",
  "exp": 1711036800
}
```

Sign with an API key secret and include the API key preview or prefix in the JWT header as `kid`.

```js
import jwt from "jsonwebtoken";

export function plandalfJwt(user) {
  return jwt.sign(
    {
      sub: String(user.id),
      email: user.email,
      name: user.name
    },
    process.env.PLANDALF_API_KEY,
    {
      header: { kid: process.env.PLANDALF_API_KEY_PREVIEW },
      expiresIn: "1h"
    }
  );
}
```

## Per-call identity

Pass `user` to one checkout without changing the global browser identity.

```js
await plandalf.present("pro-plan", {
  user: customerJwt
});
```

## Anonymous identity

If you do not call `identify()`, Plandalf still maintains an anonymous device ID in local storage. `reset()` clears the user token but preserves that anonymous ID.

## Method names

Use `identify()` to set customer identity and `reset()` to clear it.

## Related docs

- [Configure the SDK](/docs/sdk/configure)
- [Session continuity](/docs/sdk/session-continuity)
- [Gates](/docs/sdk/gates)