How to Validate Invitation Codes

How It Works

The invitation code that Prefinery automatically generates for a user is tied to their email address. We give you the formula to calculate what the user's invitation code should be, then you compare that to the code the user provides. 

The invitation code for each of your users is simply a SHA1 hex digest of your secret invitation decoder key followed by their e-mail address.

Given a secret invitation decoder key of d1696aeb245fa90380a192a41730f07464c906ea and a user email address of (must be all lowercase) their invitation code will be 6210ede5e41479c55aa7ff24a0360462e0442bb3.

Remember, if you have enabled the use of short invitation codes in Prefinery (which are enabled by default), you only need to validate the first 10 characters of the calculated invitation code. In this case, the user's invitation code would be 6210ede5e4

Note: The Beta Management features shown in the screenshot above are only available to "prelaunch" projects (i.e. projects for which you answered "yes this is a prelaunch campaign" during the project creation wizard).

Validating the Invitation Code

To validate the invitation code you will simply need to calculate what you expect the invitation code to be for a given email address and then compare the result to what the user has provided.

This means that validating an invitation code is nothing more than a bit of math and string comparison, so there's no need to use our API. It's all done locally on your end.

Your project's secret invitation decoder key, used for validating a user's invitation code, can be found within your account on the Beta Management Settings page. 

Here's how you validate the invitation code in different languages/environments: 

How to Validate an Invitation Code in Ruby

require 'digest/sha1' 
invitation_code = Digest::SHA1.hexdigest("")

How to Validate an Invitation Code in Python

import hashlib
invitation_code = hashlib.sha1("").hexdigest()

How to Validate an Invitation Code in PHP

Validating the invitation code using PHP looks like this at the most basic:

<?php $invitation_code = sha1(""); ?>

To expand on the above, here's a PHP code snippet that accepts the user's email address and invitation code as inputs, supports short invitation codes ( Settings > Project Settings > Beta Management), then checks if the user's code matches that of the expected invitation code based on the user's email address and your campaign's decoder key: 


$user_email = ''; // map the value to your email address input
$user_provided_code = 'd4c0274b2625f1a0e8178284fc3d14525ad27ed1'; // map the value to your invite code input
$decoder_key = 'btfaaaZsMbbbSKFccccc'; // Settings > Project Settings > Beta Management

$invitation_code = sha1($decoder_key.$user_email); 

// in case short invitation codes are enabled (first 10 characters only)
$user_shortcode = substr($user_provided_code, 0, 10);
$computed_shortcode = substr($invitation_code, 0, 10);

// check if user provided code is the same as computed code
if ($user_shortcode == $computed_shortcode) { 
	// do something here e.g. redirect user to specific page, set their status in the campaign to "active"
} else {
	// do something here e.g. prompt user the code they provided is wrong


How it's used depends on how you're setup to onboard users upon getting invited. 

For example, you could have a registration form on your website or app accessible only by those invited (perhaps through the invitation email they received) where they could input their email address and invitation code, then you could capture and validate the submitted email address and invitation code. 

Another example is by including a one-click invitation confirmation link (which points to the page that runs your PHP code) where the user's email address and invitation code are added as parameters in the URL:

To achieve that in Prefinery, specifically to use it in the invitation email, you can insert the {{ | url_encode}} and {{user.invitation_code}} variables in the URL:{{ | url_encode}}&code={{user.invitation_code}}

The url_encode filter in the {{}} variable is used to make sure the email address gets URL encoded. This converts URL-unsafe characters in the address (e.g. @ in into percent-encoded characters (e.g., ensuring the whole link works properly. 

You'd then edit your invitation email to include that link: 

Here's a PHP code snippet that can be installed on continuing from the previous example that - upon the user clicking on the link - will capture the values of the URL parameters, and then output whether it was a successful or a failed validation, and if successful tells the Prefinery campaign to change the user's status from "invited" to "active"


$user_email = $_GET['email']; // get value of 'email' parameter in URL
$user_provided_code = $_GET['code']; // get value of 'code' parameter in URL
$decoder_key = 'btfaaaZsMbbbSKFccccc';

$invitation_code = sha1($decoder_key.$user_email); 

$user_shortcode = substr($user_provided_code, 0, 10);
$computed_shortcode = substr($invitation_code, 0, 10);

if ($user_shortcode == $computed_shortcode) { 
	echo 'Welcome to our beta!';
	echo '<img height="1" width="1" alt="" style="display:none;" src="' . $user_email . '" />'; 
	// make sure to replace PROJECT_UID in the src value above with your actual Project UID (Settings > Project Settings > General Settings)
	// you can add other things here like finally giving the user access
} else {
	echo 'The email address and/or invitation code you provided is incorrect.';


How to Validate an Invitation Code in Node.js

var crypto = require('crypto')
var shasum = crypto.createHash('sha1')

Looking for a way to grant someone or a group of people direct access to your website or application without them having to signup for your waitlist? You can create custom invitation codes for them. Learn more here: How to Validate Custom Invitation Codes

Still need help? How can we help? How can we help?