This article explains how to generate and configure the two JSON Web Tokens (JWTs) required for Fin Messenger to authenticate users when routing conversations to Salesforce Enhanced Chat. Completing these steps lets Fin securely pass user identity to both Intercom and Salesforce, so your teammates can trust the identity of customers they're speaking with.
Note: Prerequisites: Fin Messenger must already be installed in your app, and a Salesforce Enhanced Chat Messaging Channel must be configured. The Ruby jwt gem is required if using the Rails code examples below. This feature is available on Fin Messenger plans that include Salesforce integration — contact your account team to confirm access.
You must add both JWTs to your intercomSettings attributes to enable Fin Messenger authentication with Salesforce Enhanced Chat:
intercom_user_jwt
This is used to securely provide Fin with the Contact ID and any attributes for the Contact or Account that you want to provide to Fin (or Salesforce)
salesforce_identity_token
This is used to authenticate the user with Salesforce Enhanced Chat so that your teammates can be confident the user is who they claim to be.
Omitting intercom_user_jwt means Fin cannot securely pass contact data to Salesforce. Omitting salesforce_identity_token means Salesforce cannot verify the user's identity, and your teammates will not be able to confirm the customer is who they claim to be.
Both JWTs must be generated server-side on each page load for the current user, using a separate private key for each. Follow these steps to obtain each key and enable user verification in Fin Messenger and Salesforce:
Retrieve your Intercom private key — go to Settings > Messenger > Security and copy your Messenger API Secret. This is the signing key for intercom_user_jwt.
Prepare your Salesforce private key — if you already have one, use the same key configured for Salesforce Enhanced Chat. If not, generate a private key and self-signed certificate using OpenSSL (a command-line tool for generating cryptographic keys), upload the certificate to Salesforce, and attach it to your Messaging Channel. See Salesforce: Generate an Access Token for an Authenticated User for step-by-step instructions.
Enable User Verification in Salesforce — go to Setup > Messaging Settings, find the channel linked to your Embedded Service Deployment, and enable Add User Verification. See Salesforce: Token-Based User Verification Setup for full instructions.
The following Rails example shows how to generate both JWTs for Fin Messenger and Salesforce Enhanced Chat authentication and pass them into your intercomSettings object:
Rails view — passing JWTs into intercomSettings for Fin Messenger:
window.intercomSettings = {
api_base: "https://api-iam.intercom.io",
app_id: "your-app-id-here",
user_id: "<%= current_user&.id %>",
intercom_user_jwt: "<%= intercom_jwt(current_user&.id %>",
salesforce_identity_token: "<%= salesforce_jwt(current_user&.id) %>"
};
Rails helpers — generating Intercom and Salesforce JWTs for Fin Messenger:
intercom_jwt uses HS256 (HMAC-SHA256, a symmetric signing algorithm) with your Intercom Messenger API Secret. salesforce_jwt uses RS256 (RSA-SHA256, an asymmetric signing algorithm) with your Salesforce private key.
def intercom_jwt(user_id)
JWT.encode({ user_id: user_id, exp: Time.now.to_i+3600 }, INTERCOM_JWT_SECRET, "HS256")
end
def salesforce_jwt(contact_id)
# JWT payload
payload = {
iss: "intercom.com", # Set to whatever is set as Issuer in SF Enhanced Chat User Verification settings
sub: contact_id,
aud: "https://your-salesforce-subdomain-here.my.salesforce-scrt.com",
exp: Time.now.to_i + 3600, # expires in 1 hour
iat: Time.now.to_i
}
# JWT headers
headers = {
alg: "RS256",
typ: "JWT",
kid: "WebAppKey1" # Your key id here
}
JWT.encode(payload, OpenSSL::PKey::RSA.new(SF_PRIVATE_KEY), "RS256", headers)
end
Note: Both JWTs are set to expire after 1 hour (exp: Time.now.to_i + 3600). They must be regenerated on each page load — do not cache them between sessions. If a JWT expires mid-conversation, the customer may need to refresh the page to re-authenticate. Check your Salesforce Messaging Channel configuration for any minimum or maximum expiry constraints on salesforce_identity_token.
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts