Hi @Pulsi.naman ! Ebenezer here from Engineering Support
.
Here are the answers to the questions you are looking for.
1. Does Intercom provide refresh tokens?
No, Intercom does not provide refresh tokens as part of its OAuth 2.0 implementation. When you exchange the authorization code for an access token, the response only includes the access token (and a duplicate under the token
and access_token
fields), with no refresh token or explicit expiration information.
2. How long is the access token valid?
Access tokens are generally long-lived. According to internal discussions and documentation, Intercom's OAuth access tokens do not expire on a fixed schedule (such as every 60 days). Instead, they remain valid until the user manually revokes access or the app is deauthorized. If a token becomes invalid, it is usually because the user has uninstalled the app or revoked its permissions.
3. How do you renew an expired access token?
If the access token is revoked or becomes invalid, the only way to obtain a new token is to have the user go through the OAuth authorization flow again. There is no silent or programmatic way to renew the token without user interaction, since refresh tokens are not issued.
4. Is there a way to renew tokens silently?
No, there is currently no supported way to renew Intercom OAuth access tokens silently. The user must reauthorize the app through the OAuth flow if the token is invalidated.
5. Does this behavior apply to both public and private apps?
- Public apps: Must use OAuth 2.0 and are subject to the above token behavior.
- Private apps: If you are building a private app that only needs to access your own workspace, you can use a static Access Token (created in the Developer Hub) and do not need to set up OAuth. This static token does not expire unless manually revoked.
6. Best practices for multitenant token management
- Store tokens securely: For each tenant (workspace), securely store the access token you receive after authorization.
- Handle token invalidation: Implement error handling for API calls. If you receive a 401 Unauthorized error, prompt the user to reauthorize your app.
- User experience: To minimize disruption, notify users proactively if their token is about to expire (if you have a way to detect this, e.g., via webhook or failed API call) and guide them through reauthorization.
- No silent renewal: Since silent renewal is not possible, design your app to gracefully handle reauthorization requests and provide clear instructions to users.
- Private app alternative: If your use case allows, consider using a private app with a static access token for your own workspace, as this avoids the need for OAuth and token renewal.