Intercom app_id security


I have a security question regarding the use of appid to initialize Intercom on client side apps. According to the official documentation, we need to expose the APP_ID as part of the client side JS, like so:

var APP_ID = “APP_ID”;

window.intercomSettings = {
app_id: APP_ID

The question is, what’s preventing someone else inspecting the source and taking the APP_ID to create an Intercom client as an attack vector to exhaust monthly quota for my account?


Hi @nus :smile: For general usage on websites we have our whitelisting setting which restricts using your app_id on unauthorized sites.

Also which quotas that you are referring to? Typical quotas would be for the API and our rate limits where they would need to know your access token which should be kept secret and isn’t something that is exposed

Also for when users login

  • to prevent user impersonation on web/mobile we also recommend enforcing identity verification which requires creating a hash of the user_id (or email if no user_id is provided) to prevent unauthorized requests
  • And to take it a step even further for users, we have encrypted mode which completely encrypts the payload.

Hope that helps clarify what’s possible! :+1: