JWT not expiring | Community
Skip to main content
Answered

JWT not expiring

  • January 20, 2026
  • 3 replies
  • 44 views
A

We recently started using JWT for authn/AuthZ.There is a property that the SDK adds to requests to Intercom. It is called anonymous_session . It appears to keep the API calls to Intercom working beyond the JWT expiry. :

  1. Why does this keep authentication alive?
  2. Is there a way we can disable it to have more control over the amount of time the API is accessible.

Best answer by Janice

Hi Amitav,

This behavior is expected when the anonymous_session property is present. It allows Intercom to associate requests with an existing anonymous session, which can remain valid even after the JWT itself expires. Essentially, Intercom treats the session as still trusted unless it’s explicitly cleared or invalidated.

If you need tighter control over API access duration, you’ll want to ensure sessions are rotated or reset when the JWT expires, and avoid relying on long-lived anonymous sessions. We’ve seen similar session-handling patterns discussed in authentication session management resources, which may help clarify how to align token expiry with session lifetime.

Hope that helps.

3 replies

J
  • Janice
  • New Participant
  • Answer
  • January 21, 2026

Hi Amitav,

This behavior is expected when the anonymous_session property is present. It allows Intercom to associate requests with an existing anonymous session, which can remain valid even after the JWT itself expires. Essentially, Intercom treats the session as still trusted unless it’s explicitly cleared or invalidated.

If you need tighter control over API access duration, you’ll want to ensure sessions are rotated or reset when the JWT expires, and avoid relying on long-lived anonymous sessions. We’ve seen similar session-handling patterns discussed in authentication session management resources, which may help clarify how to align token expiry with session lifetime.

Hope that helps.

A
  • Amitav Singh
  • Author
  • New Participant
  • January 21, 2026

Authentication Session Management link seems to goto some capcapk.com

 

B
  • Bryce G
  • New Participant
  • January 22, 2026

Thanks for your response, Janice.

Our app does allow for anonymous sessions. Our goal is to remove the “anonymous-session” property in the body of the network traffic sent by the Intercom client for logged-in session network activity - after the logged-in Intercom(“boot).

I’m interpreting the instructions as:
When making the transition from an anonymous session boot to a logged-in session boot, call Intercom(“shutdown”) on the anonymous session before booting the logged-in session. 

Can you confirm this is the recommendation?

Does doing this prevent merging anonymous chat content with logged in content? If so is there a recommended work-around for this?

Terms & ConditionsAccessibility statement