# Identity Verification Secrets

Manage HMAC signing secrets for Messenger identity verification — list, create, and rotate out. Signing material is returned only once, at creation time.

## List all identity verification secrets

 - [GET /secure_mode_secrets](https://developers.intercom.com/docs/references/preview/rest-api/api.intercom.io/identity-verification-secrets/listidentityverificationsecrets.md): Returns the identity verification secrets configured for your workspace.

Each entry includes metadata only — the HMAC signing material itself is never returned by this endpoint. The raw secret is only available once, in the response to POST /secure_mode_secrets. Persist it at that moment.

## Create an identity verification secret

 - [POST /secure_mode_secrets](https://developers.intercom.com/docs/references/preview/rest-api/api.intercom.io/identity-verification-secrets/createidentityverificationsecret.md): Creates a new identity verification secret for your workspace. Intercom generates a 256-bit, cryptographically random value server-side and returns it once in the response.

This is the only opportunity to capture the secret. Store it in your secure configuration immediately. The secret field is omitted from all subsequent responses (including GET /secure_mode_secrets) — if you lose it, you must rotate a new secret in and delete this one.

You must enable the secret for at least one platform (supports_android, supports_ios, or supports_web). Rotation flow: create the new secret, roll it out to every client signing user_hash values, then delete the old secret with DELETE /secure_mode_secrets/{id} once traffic has cut over.

## Delete an identity verification secret

 - [DELETE /secure_mode_secrets/{id}](https://developers.intercom.com/docs/references/preview/rest-api/api.intercom.io/identity-verification-secrets/deleteidentityverificationsecret.md): Soft-deletes an identity verification secret. After deletion, any user_hash values signed with that secret will no longer verify — Messenger sessions depending on it will be rejected on their next request. Use this to complete a rotation: create a new secret, roll it out, then delete the old one.