If you have the Messenger installed on your site for logged in users, it's essential to secure it and prevent bad actors from impersonating your users or sending unauthorized data. ​

On a Messenger that's not secure, someone could interact with your Intercom Messenger and spoof the identity of another user, by providing a known identifier like their email address or user_id. This allows an attacker to pose as a real user to your teammates, giving access to previous conversations and potentially sensitive data.

A JSON Web Token (JWT) is an industry standard way to sign data. It typically consists of three parts, separated by dots. A typical JWT looks like this: header.payload.signature.

By securely transmitting user identity and data and enforcing token expiration, JWTs ensure your Intercom Messenger is in the most secure state it can be.

When using JWTs with the Intercom Messenger, the experience is as follows:

You can find the unique setup instructions for your workspace here. ​

The main difference between an insecure Messenger setup and a secure setup is that you will include an additional intercomUserJwt field in your user requests and that will be used to identify and update the user.

You can use industry standard JWT libraries to generate the token, using the Messenger API Secret as the secret key. Your secret key can be generated in your workspace's Messenger security settings.

Choose your back and front end frameworks to get relevant code examples for your installation.

Here is an example for Node.js:

If there are additional attributes you want to send about your users (e.g: price_plan or number_of_songs_added) you would add those into your JWT also. user_id is the only required field. Learn more about custom data attributes here.

When launching the Messenger for a logged-in user, you can provide a signed JSON Web Token and assign it to the intercom_user_jwt attribute of the Messenger payload.

Example Client-Side Configuration

This JWT can contain any user data attributes you want to securely send for the user. Once a valid JWT is received for the user, a session cookie will be created in the user’s browser with a default duration of 7 days.

To control the TTL of the Messenger session cookie, you can set a maximum under Settings > Channels > Messenger > General > Keep your Messenger secure

It is possible to enable insecure updates for data attributes for the Messenger API, which means that any update through the Messenger to update that attribute will succeed.

If you are sending some data securely in your JWT, you should ensure that you disable insecure Messenger updates for those attributes such that they are only updated via a valid JWT. Note: this toggle does not prevent you from collecting data directly from leads with a bot

We recommend you enable this toggle for any attribute you’re sending in your JWT.

Intercom allows you to put the Intercom Messenger on any public facing site that you own (your marketing site, your docs site, your developer hub, etc). In order to maintain continuity of conversations across all of these potentially different subdomains while your users are logged in, we set a cookie in your user’s browser. This cookie expires after one week.

Any user that uses a shared computer and browser with someone else will be able to see the most recently logged in user’s conversation history until the cookie expires. Because of this, it’s very important to properly shutdown Intercom when a user’s session on your app ends (via manually or automatically logging out).

Here’s how to shutdown Intercom:

When your integration is properly sending JWTs for your users, you should enforce Messenger security by toggling it on in your Messenger settings. By doing this, Intercom will require that requests for your workspace users are secured with either a valid JWT or a valid user_hash.

We have two tools to help you debug your installation, one way to see recent error logs and a token debugger.

On step 6 under Settings > Channels > Messenger > Security, you will see your installation logs. These will show all failure logs related to your JWT installation. Here you will see errors noting whether your JWTs are invalid, expired etc. You click on "View log" to see a full log including the request ID, timestamp, referer and user data. This can help you understand why your request failed and help you trace it back to your own app.

Our decoder tool also gives you a way to check a JSON web token. You can find it on the sidebar on the installation pages.

In the tool you can check one of your generated user JWTs for validity. Choose the relevant secret key you used to generate the JWT and click Decode.

Once decoded you can see the user details from your JWT's payload, the header and a note as to whether it's valid or invalid.

In this example I have used both an invalid secret and I'm not including the user_id field, both of which will cause a failure.

We require that customers provide user_id as their primary identifier for their Users. Historically, we’ve supported either user_id or email as potential identifiers for legacy reasons, but this has created significant product confusion in basic Identity Verification. We are being opinionated here. If the customer only has an Email to identify their users with, they can supply the email address in both the user_id and email attributes of the payload.

You should send a new JWT each time the Messenger is booted, and so the lifetime of the token only needs to support the length of time between Messenger launches. Choose the minimum duration that is suitable for their application’s behavior. If the web page is often reloaded, the JWT should be short-lived, though we suggest a minimum of 5 minutes to prevent unexpected expiry issues.

No, we don’t support sending both the user_hash and the intercom_user_jwt, as the `user_hash` should be superseded by JWTs. You can, however, alternate between sending user_hashes and/or intercom_user_jwt values, as some customers will need to do this as they migrate from user_hash to intercom_user_jwt

If you're currently using Identity Verification and sending user hashes, see this guide for changing your integration to send JWTs instead.

See Troubleshooting section above.

You should enable the enforcement toggle in your Messenger settings.

All identifying attributes should be marked protected and sent securely in the JWT if possible. This includes, email, phone, and any account_ids the customer may store on the User record. You can find your attributes here.

Any attribute that you want Fin to use in a critical part of an Action or Workflow should be protected, to ensure a malicious user cannot override that value.

If you want to send data outside the JWT, you can do that as long as you have allowed Messenger updates but keep in mind that a user could update this field themselves.

If there is activity within the Messenger from a user after the cookie expires, Intercom will issue a fresh short lived cookie of 1 hour to avoid negative impact to the user experience. To prevent any unintended effects to the user experience we recommend you choose a session duration of the cookie that matches that of your application’s session timeout.

We do not yet offer support for JWTs in the Mobile Messenger SDKs. This is coming soon.

Not all integrations have been updated to send the intercom_user_jwt field yet, however if you can manually update your integration to send this field, it will work.

We allow for customers to send un-signed Attributes to support situations where they need to send low-fidelity data about the User, while the User is taking action in their application. If the customer doesn’t need this capability, they can update all their User Data Attributes to be “protected from Messenger updates” and only send the signed payload.

Your secret key can be generated in your workspace's Messenger security settings.

Please report bugs to security@intercom.io immediately.