We're working on an experimental feature to allow you to authenticate with the messenger using a JWT token instead of sending a user_hash.

This feature is not currently general release however we will be seeking beta customers early next year (2025). If you are interested drop us a line at security@intercom.com (even if you don't use the rails gem!)

Description of the feature

When launching the Messenger for a logged-in User, you can provide a signed JSON Web Token in the intercom_user_jwt attribute of the Messenger payload.

This JWT can contain any User Data Attributes you want to securely send for the user. If you want to ensure those attributes can only be updated by you, you should disable Messenger updates for these Attributes, and as long as they are signed, they will still be updated.

You can use industry standard JWT libraries to generate the token, using your Messenger API Secret as the secret key.

A Messenger installation with JWTs requires minimal change compared to basic Identity Verification.

Example Server-Side Configuration

var jwt = require('jsonwebtoken');
const intercomUserJwt = jwt.sign({ user_id: '123', email: 'user@email.com', phone: '345-345-3456' }, '<API_SECRET>', { expiresIn: '1h' });

Example Client-Side Configuration

<script>
    window.intercomSettings = {
      app_id: <APP_ID_CODE>,
      intercom_user_jwt: <TOKEN>,
      extra_data_attribute: 'data'
    };
</script>

TODO

JWT also supports signing CDAs, will add a separate PR for that. Once we do that we probably shouldn't send any of those attributes in the clear as part of the user_data either (especially email and phone)