# Create an identity verification secret Creates a new identity verification secret for your workspace. Intercom generates a 256-bit, cryptographically random value server-side and returns it once in the response. This is the only opportunity to capture the secret. Store it in your secure configuration immediately. The secret field is omitted from all subsequent responses (including GET /secure_mode_secrets) — if you lose it, you must rotate a new secret in and delete this one. You must enable the secret for at least one platform (supports_android, supports_ios, or supports_web). Rotation flow: create the new secret, roll it out to every client signing user_hash values, then delete the old secret with DELETE /secure_mode_secrets/{id} once traffic has cut over. Endpoint: POST /secure_mode_secrets Version: Preview Security: bearerAuth ## Header parameters: - `Intercom-Version` (string) Intercom API version.By default, it's equal to the version set in the app package. Enum: "1.0", "1.1", "1.2", "1.3", "1.4", "2.0", "2.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7", "2.8", "2.9", "2.10", "2.11", "2.12", "2.13", "2.14", "Preview" ## Request fields (application/json): - `name` (string, required) Human-readable name for the secret. Example: "Production Web" - `supports_android` (boolean) Enable this secret for the Android SDK. - `supports_ios` (boolean) Enable this secret for the iOS SDK. - `supports_web` (boolean) Enable this secret for the Messenger on web. Example: true ## Response 201 fields (application/json): - `type` (string) value is "identity_verification_secret" Example: "identity_verification_secret" - `id` (string) The id of the secret Example: "102" - `name` (string) Human-readable name for the secret, used to identify it in rotation flows Example: "Production Web" - `supports_android` (boolean) Whether the secret is enabled for the Android SDK - `supports_ios` (boolean) Whether the secret is enabled for the iOS SDK - `supports_web` (boolean) Whether the secret is enabled for the Messenger on web Example: true - `created_at` (integer) The time the secret was created, as a Unix timestamp Example: 1734537243 - `secret` (string) The 256-bit HMAC signing key, base64url-encoded. Returned ONCE at creation time and never surfaced again. Example: "9Zw0xNs3vKk0fPz9rwKqNbzH3mPVQmQxL9vhSm9Tk4A" ## Response 401 fields (application/json): - `type` (string, required) The type is error.list Example: "error.list" - `request_id` (string,null) Example: "f93ecfa8-d08a-4325-8694-89aeb89c8f85" - `errors` (array, required) An array of one or more error objects - `errors.code` (string, required) A string indicating the kind of error, used to further qualify the HTTP response code Example: "unauthorized" - `errors.message` (string,null) Optional. Human readable description of the error. Example: "Access Token Invalid" - `errors.field` (string,null) Optional. Used to identify a particular field or query parameter that was in error. Example: "email" ## Response 422 fields (application/json): - `type` (string, required) The type is error.list Example: "error.list" - `request_id` (string,null) Example: "f93ecfa8-d08a-4325-8694-89aeb89c8f85" - `errors` (array, required) An array of one or more error objects - `errors.code` (string, required) A string indicating the kind of error, used to further qualify the HTTP response code Example: "unauthorized" - `errors.message` (string,null) Optional. Human readable description of the error. Example: "Access Token Invalid" - `errors.field` (string,null) Optional. Used to identify a particular field or query parameter that was in error. Example: "email"