Intercom helps you understand and support your customers by allowing you to send and update user data—like names, email addresses, subscription levels, and more—in real time. This data is crucial for powering automation, personalised support, and teammate context.
To ensure that this information stays trustworthy and secure, Intercom provides controls that verify the source of data updates—using JSON Web Tokens (JWTs)—and optional enforcement settings to block unsigned updates.
The risks of insecure data
If a data attribute is not locked down
Malicious users could spoof or tamper with the data sent to Intercom
Your workspace might reflect inaccurate or manipulated user information.
Critical workflows (like targeted messaging or support automations) could be triggered based on untrusted input.
Signing your data attributes with JWTs
To prevent tampering, Intercom supports JSON Web Tokens (JWTs). JWTs let you sign the user data you're sending to Intercom, proving it came from your backend and not from a user’s browser.
This applies to:
Standard attributes like name, email, signed-up date, etc.
Custom attributes you define to track additional user details.
When using JWTs:
You generate a token on your backend with all the attributes you want to update.
You sign the token using a secret key.
You send the JWT to Intercom along with the user session.
We have an open beta for this functionality. Please reach out to security@intercom.io if you wish to be added!
See more here:
Enforcing signed attribute updates
By default, Intercom accepts data updates from both signed and unsigned sources (e.g., from the browser or from your backend). To truly lock down your data, you should ensure that you've prevented insecure updates to your attributes.
When enforcement is on, updates to attributes via the Messenger are ignored unless their value is updated via a valid JWT. This ensures that only trusted, signed sources can change user data in Intercom.
We recommend you enable this toggle for any attribute you’re sending in your JWT.
Go to Settings > Data > People
Choose the attribute you wish to lock down
Enable the toggle to “Prevent insecure updates via the Messenger”
Note: This attribute updates toggle does not prevent you from collecting data directly from leads with a bot. This data comes directly from the user.
⚠️ This is a workspace-wide setting. Ensure your backend is fully set up to sign all required attributes before enabling.
Best Practices
Sign all important user data updates with JWTs, especially those used for messaging, targeting, or business logic.
Lock down your attributes in your Data > People settings
Never expose your JWT secret in any front-end code.
Add a token expiration (exp) claim to limit impact of token reuse.
FAQs
Does this apply to standard attributes too?
Yes. You must lock down all attributes, standard and custom from your Data > People settings.
What happens if my frontend sends data without a JWT after enforcement is enabled?
The data is ignored. Intercom will not apply updates unless the JWT is present and valid.
Can I test JWT enforcement before turning it on in production?
Yes. Use your test workspace to verify your implementation.
Related resources
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts