Clarification Needed on Intercom OAuth Access Token and Refresh Token for Multitenant Apps | Community
Skip to main content

Hi Intercom Team / Community,

I am developing a multitenant app that integrates with Intercom using the OAuth 2.0 authorization code flow. When I exchange the authorization code for an access token, I receive a response like this:

 

{ "token": "dG9rOjJjMTdlOTQxX2JmNjZfNDdhNV85ZGFiXzFjMzdmYjZhOGI1ZDoxOjA=", "access_token": "dG9rOjJjMTdlOTQxX2JmNjZfNDdhNV85ZGFiXzFjMzdmYjZhOGI1ZDoxOjA=", "token_type": "Bearer" }

There is no information about the token’s lifetime or a refresh token in the response.

My questions are:

  1. Is it correct that Intercom does not provide refresh tokens at all?

  2. If yes, does it mean the access token is long-lived (officially valid up to 60 days)?

  3. After expiry, is the only way to obtain a new token by making the user go through the OAuth authorization flow again?

  4. Is there any recommended way to renew access tokens silently without repeatedly asking for user authorization?

  5. Does this behavior apply consistently for both public and private apps?

  6. For a multitenant scenario where multiple tenants authorize our app and we fetch data on their behalf, how can we best manage token expiration and avoid a poor user experience?

I’d appreciate if anyone from the community or Intercom team could confirm these points or suggest best practices. Thanks in advance!

Regards,

Naman

Hi ​@Pulsi.naman ! Ebenezer here from Engineering Support👋.

Here are the answers to the questions you are looking for.

1. Does Intercom provide refresh tokens?

No, Intercom does not provide refresh tokens as part of its OAuth 2.0 implementation. When you exchange the authorization code for an access token, the response only includes the access token (and a duplicate under the token and access_token fields), with no refresh token or explicit expiration information.

 

2. How long is the access token valid?

Access tokens are generally long-lived. According to internal discussions and documentation, Intercom's OAuth access tokens do not expire on a fixed schedule (such as every 60 days). Instead, they remain valid until the user manually revokes access or the app is deauthorized. If a token becomes invalid, it is usually because the user has uninstalled the app or revoked its permissions.

 

3. How do you renew an expired access token?

If the access token is revoked or becomes invalid, the only way to obtain a new token is to have the user go through the OAuth authorization flow again. There is no silent or programmatic way to renew the token without user interaction, since refresh tokens are not issued.

 

4. Is there a way to renew tokens silently?

No, there is currently no supported way to renew Intercom OAuth access tokens silently. The user must reauthorize the app through the OAuth flow if the token is invalidated.

 

5. Does this behavior apply to both public and private apps?

  • Public apps: Must use OAuth 2.0 and are subject to the above token behavior.
  • Private apps: If you are building a private app that only needs to access your own workspace, you can use a static Access Token (created in the Developer Hub) and do not need to set up OAuth. This static token does not expire unless manually revoked.

     

6. Best practices for multitenant token management

  • Store tokens securely: For each tenant (workspace), securely store the access token you receive after authorization.
  • Handle token invalidation: Implement error handling for API calls. If you receive a 401 Unauthorized error, prompt the user to reauthorize your app.
  • User experience: To minimize disruption, notify users proactively if their token is about to expire (if you have a way to detect this, e.g., via webhook or failed API call) and guide them through reauthorization.
  • No silent renewal: Since silent renewal is not possible, design your app to gracefully handle reauthorization requests and provide clear instructions to users.
  • Private app alternative: If your use case allows, consider using a private app with a static access token for your own workspace, as this avoids the need for OAuth and token renewal.

Reply