I created a canvas kit app for my teammates that looks up some customer details in our database and displays them in the inbox details panel, but I don't see any incoming data (like an access token) that I can use on our side to make sure the request is coming from intercom.
Page 1 / 1
Hey @user2399 Racheal from the support engineer team here 👋
You will want to check out our doc. here on signing notifications. You will need to compare the value sent by the request (via the X-Body-Signature header) to the value calculated on your end. If they match, it is a valid request from Intercom.
To calculate the signature, you must use the body of the JSON request and your app's OAuth client_secret value, which you can find on the Basic Info page of your app. As the docs note, it is a hexadecimal (64-byte) value that is computed using the HMAC-SHA256 algorithm as defined in RFC2104.
Thank you Racheal. Where it says "The value is computed by creating a signature using the body of the JSON request and your app's OAuth client_secret value"... does the "body of the JSON request" mean the entire "content" of the http request? I know I have my client_secret correct, but I'm not calculating the same signature using the http request content. Can you give me an example of what the "body of the JSON request" looks like?
Reply
Join the Intercom Community 🎉
Already have an account? Login
Login to the community
No account yet? Create an account
Intercom Customers and Employees
Log in with SSOor
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.