If you want to use Intercom as a support chat in your White-Label app, follow this guide to connect and secure your workspace properly.
1. Register for Intercom Startup Program
To get started, you need:
APP_ID
The easiest way to find your workspace ID is in the URL of any Intercom page. For example:
Here,
xyz123is your APP_ID.Alternatively, navigate to:
Settings > Installation > Web > Install chat for visitors > With code
Secret Key
Required for Messenger security (see below).
2. Secure Your Messenger with JWTs
JSON Web Tokens (JWTs) are the recommended way to secure your Messenger. They prevent unauthorized access, impersonation, or data leaks.
How it works:
JWTs are server-side generated based on:
user_id(mandatory)Optional payload with additional user data
Messenger API Secret Key
Intercom uses the JWT to verify the identity of the user for every session.
Why use JWTs:
Prevents bad actors from accessing conversations.
Ensures only authenticated users can interact with your Messenger.
Strongly recommended for all installations.
Already using HMAC Identity Verification? See the migration guide to switch to JWT for enhanced security.
3. Setting Up Messenger Security
You can enable, disable, or adjust Messenger Security in Intercom:
Follow the instructions and code examples for your language/framework.
Note: Disabling this feature during development is possible but makes your workspace vulnerable.
Best Practices for JWT Implementation
Token Expiration
Match the token lifetime to your app’s session length.
Shorter-lived tokens improve security.
Token Refresh
Provide fresh tokens periodically, especially if user info changes.
Rotate Secret Keys
Your Messenger API secret keys are in:
Workspace > Security > MessengerCopy existing keys or rotate them for enhanced security.
4. Identity Verification Options
Recommended: JWT-based verification
Legacy support: HMAC-based Identity Verification
Tip: Switch to JWT for all new integrations.
5. Troubleshooting
Common issues and solutions:
Messenger not working everywhere:
Ensure Messenger Security is enabled on all platforms (web, iOS, Android).JWT generation errors:
Always use the user’s user_id for token creation.
Use the correct secret key from your workspace settings.
Avoid exposing your secret key in public/frontend code. If leaked, rotate immediately.
Debugging:
Check verbose logs on the setup page.
Use the token debugger for issues with JWTs.
6. Key Takeaways
Always secure your Intercom Messenger with JWTs.
Use the APP_ID and secret key correctly across all platforms.
Rotate secret keys regularly and refresh JWT tokens when needed.
Test Messenger on all devices (web, iOS, Android) to ensure consistent functionality.
Use Intercom’s tools and logs for troubleshooting.
✅ With this setup, your Intercom integration will be secure, consistent, and ready to support your White-Label app users safely.