Authorization FAQ

API Key deprecation

🚧

Note: Access Tokens and OAuth have replaced API Keys

As of April 2017, all public integrations must use OAuth rather than API Keys.

If you're using an API Key to access the Intercom API for your own data, you should switch to using an Access Token asap - API Keys will be fully deprecated early 2018.

What do I do with my current API Keys?

You don't need to take any action on your current API Keys once you have switched to using OAuth or Personal Access Tokens, they will simply stop working when deprecated.

What if I am using the iOS or Android SDK?

This only impacts web users. If you are using the Android or iOS SDKs then this will not impact you and you don't need to take any action.

OAuth

What is the expiry time for my OAuth token?

We wanted to make this transition as easy as possible so currently we do not expire your OAuth token. We will review this as needed but for now you do not need to worry about refreshing your OAuth token once it is generated.

What OAuth flows does Intercom cover?

The OAuth 2.0 documentation talks about flows in terms of 'grants'. They describe the different grant types which are covered by the OAuth framework. The Intercom OAuth implementation covers the most common type of grant flow, the Authorization Code Grant. This can also be referred to as the Sever-Side web flow.

Can I use my OAuth token to request my own data instead of an Access Token?

Yes, if you want you can follow the OAuth implementation steps and use an OAuth token instead of an Access Token – this is entirely up to you. If you don't need to use OAuth it is much easier to use Access Tokens.

Can I use an Access Token instead of an OAuth token?

No, if you need to implement the use cases described in the section under OAuth here then you cannot use an Access Token instead of an OAuth token. Asking integration users to share their Access Tokens with you is against our terms of service and may result in your API access being revoked.

Will this impact my Intercom Javascript setup?

No, OAuth should not impact your current JS configuration. If you notice any issues with your JS after migrating to OAuth or Access Tokens then let us know.

Access Tokens

Can I give out my Access Token in the same way I did with my API Keys?

No, you should never give out your Access Token as this gives access to your private Intercom data. We are deprecating API Keys to ensure greater security and granularity of access via OAuth, but have introduced Access Tokens so you can easily access your own data. Third parties should never request your Access Token - if they do or you believe a third party has your Access Token, please inform us immediately.