Messenger-only app flow



For my Messenger-only application, I can’t seem to figure out what the best approach is for the following.

A visitor/user can perform a certain action in my Messenger app’s sheet. Say, rate their happiness (9/10). Now I want to write that rating as a custom_attributes to the user’s object with the Intercom API.

But the Intercom API needs a token to write. Question:

  • if I obtain the token from the owner (after app install) can I just save it, and use forever with the API?
  • if it does expire, how to request a new token from the owner?
  • why not provide API token to the messenger environment?

If not clear enough, let me know.



Hey @yvoschaap :wave:

Is this for a public app (ie. accessing other Intercom users data), or a private app (accessing only your own data)? For the latter, you can just use your access token as found on the Authentication page of your app on the Developer Hub.

However, for the latter, you will need to use OAuth in order to have other users authenticate and provide that access. You can grab the access token by exchanging the code for it, and then store this so you don’t need to make the call each time to retrieve it. Currently, tokens are not set to expire on a timeframe, but if someone revokes access (ie. they uninstall) then it will - so provide an uninstall URL to monitor when they do, and we’ll send a POST request there with the app_id so you can perform cleanup :+1:



Clear up to there…

But how do I trigger a request to start the OAuth flow after an admin installs our app from the app store?

I tried the route to obtain a token from the Configure flow, but that seems not right (for a Messenger-only home app).



You should be obtaining the token during installation - it’s app-specific, not user-specific, and should be stored for that app.

You trigger the request upon redirecting from your install URL to the Authorization code endpoint, in which a GET request should be made to obtain the code. This kicks off the flow for you to exchange the code for the Access Token, and then store such against the app_id.