Ideally, you should add two JWTs to your intercomSettings attributes:
intercom_user_jwt
This is used to securely provide Fin with the Contact ID and any attributes for the Contact or Account that you want to provide to Fin (or Salesforce)
salesforce_identity_token
This is used to authenticate the user with Salesforce Enhanced Chat so that your teammates can be confident the user is who they claim to be.
For both JWTs, you'll need to generate the JWT on each page load for the current user using the respective private keys. For the Intercom private key, you can retrieve it from Settings -> Messenger -> Security. For the Salesforce private key, you will use the same one that you are using already. If you haven't generated one yet, you'll need to generate it using OpenSSL, upload it to Salesforce and then attach it to the Messaging Channel. Details of how to do this can be found here. You'll also need to turn on User Verification in Messaging Settings as detailed here.
An example of doing this in Rails would be the following:
View:
window.intercomSettings = {
api_base: "https://api-iam.intercom.io",
app_id: "your-app-id-here",
user_id: "<%= current_user&.id %>",
intercom_user_jwt: "<%= intercom_jwt(current_user&.id %>",
salesforce_identity_token: "<%= salesforce_jwt(current_user&.id) %>"
};
Helpers:
def intercom_jwt(user_id)
JWT.encode({ user_id: user_id, exp: Time.now.to_i+3600 }, INTERCOM_JWT_SECRET, "HS256")
end
def salesforce_jwt(contact_id)
# JWT payload
payload = {
iss: "intercom.com", # Set to whatever is set as Issuer in SF Enhanced Chat User Verification settings
sub: contact_id,
aud: "https://your-salesforce-subdomain-here.my.salesforce-scrt.com",
exp: Time.now.to_i + 3600, # expires in 1 hour
iat: Time.now.to_i
}
# JWT headers
headers = {
alg: "RS256",
typ: "JWT",
kid: "WebAppKey1" # Your key id here
}
JWT.encode(payload, OpenSSL::PKey::RSA.new(SF_PRIVATE_KEY), "RS256", headers)
end