How do I authenticate a request (e.g. initialize request) coming from a canvas kit app on our back end. | Community
Skip to main content

I created a canvas kit app for my teammates that looks up some customer details in our database and displays them in the inbox details panel, but I don't see any incoming data (like an access token) that I can use on our side to make sure the request is coming from intercom.

Hey @user2399​ Racheal from the support engineer team here 👋

 

You will want to check out our doc. here on signing notifications. You will need to compare the value sent by the request (via the X-Body-Signature header) to the value calculated on your end. If they match, it is a valid request from Intercom.

 

To calculate the signature, you must use the body of the JSON request and your app's OAuth client_secret value, which you can find on the Basic Info page of your app. As the docs note, it is a hexadecimal (64-byte) value that is computed using the HMAC-SHA256 algorithm as defined in RFC2104.


Thank you Racheal. Where it says "The value is computed by creating a signature using the body of the JSON request and your app's OAuth client_secret value"... does the "body of the JSON request" mean the entire "content" of the http request? I know I have my client_secret correct, but I'm not calculating the same signature using the http request content. Can you give me an example of what the "body of the JSON request" looks like?