Passing dynamic attributes
When setting up an action for Fin, you can pass dynamic attributes in the API endpoint URL like this:
This is also how you can ensure that Fin can use any collected data inputs configured in the action.
Risks and mitigations for parameter passing
There are a few potential ways that Fin could accidentally share information from another user when parameter passing. See the table for the recommended settings to best mitigate the risks:
Use Case | Risk | Best practice to mitigate |
Fin retrieves personalized data for a customer based off a user ID stored in an Intercom CDA. | A bad actor could manipulate the CDA value in order to get Fin to retrieve data from another account | We recommend that you prevent the ability for users to make updates to these attributes via the Messenger. This helps to ensure that bad actors cannot access data not belonging to them. To set this up, navigate to Settings > Data > People, select the relevant attribute and toggle on "Prevent updates via the Messenger".
|
Fin retrieves personalized data for a customer based on a data value collected by Fin. | A bad actor could provide a value to Fin for an account that they should not have access to | We recommend that you perform checks on the API server side to ensure that the user has access control for the data requested. |
Fin retrieves personalized data for a customer based on a data value collected by Fin. | Fin hallucinates a value for another end user, retrieving the wrong data. | The risk of this hallucination, while not zero, is low.
However we do recommend that you perform checks on the API server side to ensure that the user has access control for the data requested. |
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts