Intercom helps you understand and support your customers by allowing you to send and update user data—like names, email addresses, subscription levels, and more—in real time. This data is crucial for powering automation, personalised support, and teammate context.
To ensure that this information stays trustworthy and secure, Intercom provides controls that verify the source of data updates—using JSON Web Tokens (JWTs)—and optional enforcement settings to block unsigned updates.
The risks of insecure data
If a data attribute is not locked down
Malicious users could spoof or tamper with the data sent to Intercom
Your workspace might reflect inaccurate or manipulated user information.
Critical workflows (like targeted messaging or support automations) could be triggered based on untrusted input.
Signing your data attributes with JWTs
To prevent tampering, Intercom supports JSON Web Tokens (JWTs). JWTs let you sign the user data you're sending to Intercom, proving it came from your backend and not from a user’s browser.
This applies to:
Standard attributes like name, email, signed-up date, etc.
Custom attributes you define to track additional user details.
When using JWTs:
You generate a token on your backend with all the attributes you want to update.
You sign the token using a secret key.
You send the JWT to Intercom along with the user session.
See more here:
Enforcing signed attribute updates
By default, Intercom accepts attribute updates from both signed and unsigned sources (for example, directly from the browser or from your backend). To fully secure your data, you should enable the “Require verified updates” setting in Intercom.
When this setting is turned on, updates sent through the Messenger are ignored unless they come from an authenticated request (such as via JWT or the REST API). This ensures that only trusted, verified sources can modify user data in Intercom.
We recommend you enable this toggle for any attribute you’re sending in your JWT.
Go to Settings > Data > People
Choose the attribute you wish to lock down
Enable the toggle to “Require verified updates”
This attribute updates toggle does not prevent you from collecting data directly from leads with a bot. This data comes directly from the user.
Important: This is a workspace-wide setting. Ensure your backend is fully set up to sign all required attributes before enabling.
Best Practices
Sign all important user data updates with JWTs, especially those used for messaging, targeting, or business logic.
Lock down your attributes in Settings > Data > People.
Never expose your JWT secret in any front-end code.
Add a token expiration (exp) claim to limit impact of token reuse.
FAQs
What are attribute protections?
Every attribute you send about users or companies to Intercom can be locked down with a toggle to require verified updates via the Messenger channel. If you lock down an attribute, only values sent via a secure JWT or REST API can update this value. This prevents unauthorized updates to user data, ensuring only updates that come from you are applied to the user's data.
You can check the status of your attribute in Settings > Data > People. To learn more about securing your Messenger with JWTs see our help article.
Does this apply to standard attributes too?
Yes. You must lock down all attributes, standard and custom from Settings > Data > People.
What happens if my frontend sends data without a JWT after enforcement is enabled?
The data is ignored. Intercom will not apply updates unless the JWT is present and valid.
Can I test JWT enforcement before turning it on in production?
Yes. Use your test workspace to verify your implementation.
Related resources
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts