Skip to main content

Hi,

I’m building a custom intercom app. I have two APIs created for both Initialize flow webhook URL and Submit flow webhook URL and they work as I expected.

The question is, It looks like these two API can’t be protected using API key or other authentication mechanism. Is there a way to confirm the requests come to these APIs are actually from Intercom, not from some malicious actors. Any help on this appreciated.

Hi @Sujeevan Nagarajah 

I’ll need to reach out to our Product Team to see what’s possible here. I’ll reply back here when I get a response from them!


Hi again @Sujeevan Nagarajah !

Thanks for your patience!

It looks like you can put your endpoint behind a firewall and whitelist the IPs that we list in our docs below.

If you block all the IPs that the requests come from except the ones listed above, then you won’t receive any other requests apart from ours! 


perfect. Thanks for the support @Jacob Cox 


You bet, @Sujeevan Nagarajah !


Reply