Skip to main content
Answered

How do I authenticate a request (e.g. initialize request) coming from a canvas kit app on our back end.


I created a canvas kit app for my teammates that looks up some customer details in our database and displays them in the inbox details panel, but I don't see any incoming data (like an access token) that I can use on our side to make sure the request is coming from intercom.

Best answer by Racheal

Hey @user2399​ Racheal from the support engineer team here 👋

 

You will want to check out our doc. here on signing notifications. You will need to compare the value sent by the request (via the X-Body-Signature header) to the value calculated on your end. If they match, it is a valid request from Intercom.

 

To calculate the signature, you must use the body of the JSON request and your app's OAuth client_secret value, which you can find on the Basic Info page of your app. As the docs note, it is a hexadecimal (64-byte) value that is computed using the HMAC-SHA256 algorithm as defined in RFC2104.

View original
Did this topic help you find an answer to your question?

2 replies

Racheal
Intercom Team
Forum|alt.badge.img+5
  • Customer Support Engineer
  • 512 replies
  • Answer
  • August 9, 2022

Hey @user2399​ Racheal from the support engineer team here 👋

 

You will want to check out our doc. here on signing notifications. You will need to compare the value sent by the request (via the X-Body-Signature header) to the value calculated on your end. If they match, it is a valid request from Intercom.

 

To calculate the signature, you must use the body of the JSON request and your app's OAuth client_secret value, which you can find on the Basic Info page of your app. As the docs note, it is a hexadecimal (64-byte) value that is computed using the HMAC-SHA256 algorithm as defined in RFC2104.


  • Author
  • New Participant
  • 1 reply
  • August 9, 2022

Thank you Racheal. Where it says "The value is computed by creating a signature using the body of the JSON request and your app's OAuth client_secret value"... does the "body of the JSON request" mean the entire "content" of the http request? I know I have my client_secret correct, but I'm not calculating the same signature using the http request content. Can you give me an example of what the "body of the JSON request" looks like?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings