Skip to main content

I created a canvas kit app for my teammates that looks up some customer details in our database and displays them in the inbox details panel, but I don't see any incoming data (like an access token) that I can use on our side to make sure the request is coming from intercom.

Hey @user2399​ Racheal from the support engineer team here 👋

 

You will want to check out our doc. here on signing notifications. You will need to compare the value sent by the request (via the X-Body-Signature header) to the value calculated on your end. If they match, it is a valid request from Intercom.

 

To calculate the signature, you must use the body of the JSON request and your app's OAuth client_secret value, which you can find on the Basic Info page of your app. As the docs note, it is a hexadecimal (64-byte) value that is computed using the HMAC-SHA256 algorithm as defined in RFC2104.


Thank you Racheal. Where it says "The value is computed by creating a signature using the body of the JSON request and your app's OAuth client_secret value"... does the "body of the JSON request" mean the entire "content" of the http request? I know I have my client_secret correct, but I'm not calculating the same signature using the http request content. Can you give me an example of what the "body of the JSON request" looks like?


Reply