I am building an Messenger app for internal use only. How do I make sure app lifecycle flows (Initialize, Configure, Submit, and Sheet) can only be accessed by Intercom since those apis are public?
Best answer by Eden
View original
Userlevel 3
- Premier Customer Support Engineer
- 121 replies
-
17 November 2023
- Answer
Hey
Each Canvas Kit request is signed by Intercom via an X-Body-Signature header. We do this so that you can check that each request is actually sent by Intercom by decoding the signature.
The value is computed by creating a signature using the body of the JSON request and your app's OAuth client_secret value, which you can find on the Basic Info page of your app. You can read more about this in our documentation here. 👍
Reply
Join the Intercom Community 🎉
Already have an account? Login
Login to the community
No account yet? Create an account
Intercom Customers and Employees
Log in with SSOor
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.