Identity Verification helps to make sure that conversations between you and your users are kept private and that one user can't impersonate another. We strongly encourage all Intercom customers to set up and enable Identity Verification.
Identity Verification works by using a server side generated HMAC (hash based message authentication code), using SHA256, on either the user’s user_id or email.
Follow these instructions in the Intercom Setup Guide to set up and enable Identity Verification on your web product.
Once you’ve set up Identity Verification, you can turn it on or off at any time in the Intercom for web settings. This can be useful while you’re developing but your conversations will be vulnerable while it’s off.
- Check that you’ve set up Identity Verification everywhere in your app or website where you talk to logged-in users. If you only set it up on some places and not others, then Intercom Messenger may not work properly.
- If you only talk to anonymous visitors or don’t use the Intercom Messenger, you can skip the Identity Verification setup, but we still encourage you to enable it in the Intercom for web settings.
- Make sure you’re generating your HMAC with the right user data based on what you’re sending to Intercom.
- If you’re sending both user_id and email, then make sure your HMAC is generated with the user_id value.
- If you’re sending just the user_id attribute, make sure your HMAC is generated with that same user_id value.
- If you’re sending just the email attribute, make sure your HMAC is generated with that same email value.
- Use the right secret key. You can find your secret key in the Intercom for web settings.
- Be careful not to leak your secret key onto your frontend client or anywhere publicly accessible. If you’ve leaked your secret key, contact us to get a new one.