Looking at the implementation of intercom for IOS, the creator seems to leave the API key in the front end. Does this mean that this API key is fine if exposed to the end user? I don’t seem to see another way to obscure it, as keeping the key on the backend doesn’t seem like an option if I want to use intercom’s package.
import Intercom
let INTERCOM_APP_ID = "<#YOUR APP ID#>"
let INTERCOM_API_KEY = "<#YOUR API KEY#>"
class SceneDelegate: UIResponder, UIWindowSceneDelegate {
Hey
You’re right to notice that the iOS sample initializes Intercom with an App ID and an iOS API key in the client code. That’s by design for the mobile SDKs - the Intercom iOS SDK is initialized in your app (AppDelegate/SceneDelegate) with your workspace’s App ID and the platform-specific iOS API key, and those values are expected to ship in the app binary. They are not the same as (and do not grant) server-side Admin API access tokens. Intercom moved Admin API authentication to Access Tokens/OAuth years ago; that deprecation did not affect the mobile iOS/Android API keys used by the mobile SDKs.
In Intercom’s iOS SDK, including your App ID and iOS API key in the app is expected; they’re public identifiers for SDK init, not admin credentials.
To prevent impersonation, enable Messenger Security (JWT) and set a server‑minted user JWT in the app before registering/logging in users; then enforce it in settings.
Keep your Messenger secret and any Admin API Access Tokens on your backend only; never ship them in the app.
Legacy Identity Verification (HMAC) still works, but JWT is the recommended approach going forward.
Hope this help clarify things on your side!
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.