You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add JWT authentication documentation to README (#368)
Add comprehensive documentation for the JWT authentication feature that was previously implemented but undocumented. The new section covers:
- Basic JWT enablement configuration
- JWT expiry settings
- Signed user fields configuration for enhanced security
- Per-request JWT configuration options
- Important security notes and requirements
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-authored-by: Claude <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: README.md
+47Lines changed: 47 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -69,6 +69,53 @@ It is possible to enable Identity Verification for the Intercom Messenger and yo
69
69
```
70
70
**Note: This example is just for the sake of simplicity, you should never include this secret in source control. Instead, you should use the Rails [secret config](http://guides.rubyonrails.org/4_1_release_notes.html#config-secrets-yml) feature.**
71
71
72
+
### JWT Authentication
73
+
You can enable JWT authentication for enhanced security with the Intercom Messenger. This feature uses JSON Web Tokens (JWTs) to authenticate users instead of the traditional user_hash method. To enable JWT authentication, add the following to your `config/initializers/intercom.rb`:
74
+
75
+
```ruby
76
+
config.jwt.enabled =true
77
+
```
78
+
79
+
#### JWT Expiry
80
+
You can set an expiry time for JWTs. This determines how long the token remains valid:
81
+
82
+
```ruby
83
+
config.jwt.expiry =12.hours # Token expires after 12 hours
84
+
```
85
+
86
+
If no expiry is set, the JWT will not include an expiration claim.
87
+
88
+
#### Signed User Fields
89
+
You can specify which user fields should be included in the JWT payload and removed from the client-side settings for enhanced security:
- Removed from the client-side `intercomSettings` object
98
+
- Still available to Intercom through the secure JWT
99
+
100
+
#### Per-Request JWT Configuration
101
+
You can also configure JWT settings on a per-request basis using the `intercom_script_tag` helper:
102
+
103
+
```erb
104
+
<%= intercom_script_tag({
105
+
:user_id => current_user.id,
106
+
:email => current_user.email
107
+
}, {
108
+
:jwt_enabled => true,
109
+
:jwt_expiry => 1.hour
110
+
}) %>
111
+
```
112
+
113
+
**Important Notes:**
114
+
- JWT authentication requires an `api_secret` to be configured
115
+
- JWT is only generated when a `user_id` is present
116
+
- When JWT is enabled, the `user_id` is removed from client-side settings and only included in the secure JWT
117
+
- Other configured signed fields are also removed from client-side settings when JWT is used
118
+
72
119
### Shutdown
73
120
We make use of first-party cookies so that we can identify your users the next time they open your messenger. When people share devices with someone else, they might be able to see the most recently logged in user’s conversation history until the cookie expires. Because of this, it’s very important to properly shutdown Intercom when a user’s session on your app ends (either manually or due to an automated logout).
0 commit comments