Identity Verification ensures conversations between you and your users are kept private, and that a bad actor can't impersonate your users. If you are using the Intercom Messenger integration with hand off to Zendesk for logged in users, we strongly recommend you use Identity Verification.

On workspaces that have logged in users, without Identity Verification, it’s possible for a bad actor to impersonate a user. This means a bad actor could see a user’s historical conversations, appear to your teammates as that user and deceive them into taking actions on that user’s account.

For example, without Identity Verification, someone can interact with your Intercom Messenger and spoof the identity of another user, by providing a known identifier like their email address or user_id. This allows an attacker to pose as a real user to your teammates, giving access to previous conversations and potentially sensitive data.

With Identity Verification, you generate a unique user hash for each of your users based on their email address or user_id and your workspaces’s identity verification secret (available at the Install step, when setting up Intercom messenger for hand over to Zendesk). Your integration will generate and send these hashes along with every Messenger request allowing us to trust that the user request truly came from you.

Here’s how your web Messenger requests are protected from impersonation when you properly enable Identity Verification for your workspace.

Identity Verification prevents cross-user impersonation on your workspace because without access to your secret, a third party attempting to spoof a user's identifier to Intercom will be unable to send Intercom a valid user hash for that user.

With Identity Verification correctly set up, there is no impact to your customers. Users and Leads will experience the Messenger as normal. There is no extra action required from them to authenticate themselves or use the Messenger.

Intercom makes a clear distinction between:

When Intercom is installed for website visitors who don’t login, you don’t need Identity Verification. It only applies to users, for whom you have identifiers like email address or user_id.

In other words, when you enable identity verification for your workspace, Intercom will only expect a user_hash when the Messenger is loaded for a user. However, when the Messenger is loaded for a logged-out visitor/lead, a user_hash is not required.

We made a unique secret for each platform so it would be easier to rotate each one or enable Identity Verification on each platform independently.

You shouldn’t generate the hash and store it in your database. You should instead generate it and dynamically send it when identifying the user to Intercom. This will mean that when you change secrets or the user is using a different platform, you’ll have the correct hash being sent.

If you store the hash and send it, you’d have to do a mass regeneration upon any changes to your secret which would create friction for you.

No, Identity Verification requires you to create a unique hash using the secret and either the user’s user_id or email address. If you send user_ids with your Messenger requests, you have to create the hash using this identifier. If you don’t send user_ids, you generate it with the email address field.