What are Checksum tokens and why do I need them?

Checksum tokens generate personalized links* that allow users to be identified when interacting with your website without logging in! When users click on a checksum link, they are directed towards a standalone profile, contribution or event page where any contact information already in the database will auto-populate. This saves your constituents the hassle of logging in and repetitively filling out contact information.

What else are checksum tokens good for?

  1. Ensure data integrity by making it impossible to duplicate an existing contact record or to overwrite another’s contact information where the same email is used for more than one contact.
  2. Can be used to limit event registration to a targeted group without the need to go through the time-consuming process of participant approval. 


  1. Checksum tokens are personalized links meant for the sole use by the intended recipient - include clear instruction in your communications that the checksum token should not be forwarded for use by someone else as this will result in the overwriting of the contact record for which the checksum token was generated

  2. Checksum tokens should only be sent to individual contacts, never to organizations - if you allow individual contacts to make online donations or renew membership on behalf of organizations, direct all communications with checksum tokens to the individual contact record that has a permissioned "Employee of/Employer of" relationship with that organization - if the information submitted is different from the existing information in the database, the system will know whether to update the individual's or the organization's contact record (to avoid duplicate membership renewals, there should only be one permissioned contact per organization)

  3. For security purposes, checksum tokens expire seven days from the time the email is sent - if a contact clicks on an expired checksum token, they will receive a browser error, so you’ll want to include this in your communications as well

Checksum tokens can only be generated for contacts who already exist in your database and are made up of two parts:

  1. The full URL of the standalone profile, contribution or event page
  2. Followed by the checksum token: &{contact.checksum}&cid={contact.contact_id}

To find the the relative URLs:

  • Contribution Pages
    1. Navigate to ContributionsManage Contribution Pages
    2. Scroll to find the contribution page in question, then click on the Configure hyperlink to the right-hand side and select Title and Settings
    3. Scroll to the very bottom of the page and copy the URL listed
  • Event Pages
    1. Navigate to Events Manage Event Pages
    2. Scroll to find the event page in question
    3. Click on the Configure hyperlink to the right-hand side and select Info and Settings
    4. Scroll to the very bottom of the page and copy the URL listed
  • Profiles
    1. Navigate to Administer Customize Data and Screens > Profiles
    2. Scroll to find the profile in question
    3. Click on the More hyperlink to the right-hand side and select Use - Edit Mode
    4. Copy the URL from your browser

URLs will vary by CMS. For example, a URL to a contribution page with a checksum token will look as follows:

  • In Drupal:


  • In WordPress:


Hyperlink the Checksum Token in an Email:

  1. Select the text or image that you want to display as a hyperlink
  2. Click the Hyperlink icon
  3. Type or paste your link in the URL field, then click the OK button

Be sure to test the checksum token by sending yourself an email and clicking on the link in an "Incognito" window (i.e. without being signed into CiviCRM) - whatever information you have on your contact record should appear pre-filled in the profile.