intercom-security-basics

Featured

Apply Intercom security best practices for tokens, webhook verification, and scopes. Use when securing access tokens, implementing webhook signature validation, or configuring least-privilege OAuth scopes. Trigger with phrases like "intercom security", "intercom secrets", "secure intercom", "intercom webhook signature", "intercom token rotation".

AI & Automation 2,266 stars 315 forks Updated today MIT

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Intercom Security Basics ## Overview Security best practices for Intercom access tokens, webhook signature verification, Identity Verification (HMAC), and least-privilege OAuth scopes. ## Prerequisites - Intercom access token or OAuth credentials - Understanding of HMAC cryptographic signatures - Access to Intercom Developer Hub ## Instructions ### Step 1: Secure Token Storage ```bash # .env (NEVER commit to git) INTERCOM_ACCESS_TOKEN=dG9rOmFiY2RlZmdoaQ== INTERCOM_WEBHOOK_SECRET=your-webhook-signing-secret INTERCOM_IDENTITY_SECRET=your-identity-verification-secret # .gitignore (mandatory entries) .env .env.local .env.*.local ``` Verify no tokens are committed: ```bash # Scan git history for leaked tokens git log --all -p | grep -i "INTERCOM_ACCESS_TOKEN\|dG9r" | head -5 # If found: rotate token immediately, then use git-filter-repo to remove ``` ### Step 2: Webhook Signature Verification (X-Hub-Signature) Intercom signs webhook notifications with HMAC-SHA1 using `X-Hub-Signature`. You must verify this on every incoming webhook. ```typescript import crypto from "crypto"; import express from "express"; function verifyIntercomWebhook( payload: Buffer, signature: string, secret: string ): boolean { // Intercom uses X-Hub-Signature with HMAC-SHA1 const expectedSignature = "sha1=" + crypto .createHmac("sha1", secret) .update(payload) .digest("hex"); // Timing-safe comparison to prevent timing attacks return crypto.timingSafeEqual( Buff...

Details

Author
jeremylongshore
Repository
jeremylongshore/claude-code-plugins-plus-skills
Created
7 months ago
Last Updated
today
Language
Python
License
MIT

Integrates with

Anthropic · AI

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

hubspot-security-basics

Apply HubSpot security best practices for tokens, scopes, and webhook verification. Use when securing private app tokens, implementing least privilege scopes, or validating HubSpot webhook signatures. Trigger with phrases like "hubspot security", "hubspot token rotation", "secure hubspot", "hubspot scopes", "hubspot webhook verify".

2,266 Updated today
jeremylongshore
AI & Automation Featured

intercom-webhooks-events

Implement Intercom webhook handling and data event tracking. Use when setting up webhook endpoints, processing Intercom notifications, or submitting custom data events for contact activity tracking. Trigger with phrases like "intercom webhook", "intercom events", "intercom webhook signature", "handle intercom events", "intercom data events", "track intercom events".

2,266 Updated today
jeremylongshore
AI & Automation Featured

intercom-install-auth

Install and configure Intercom API authentication with access tokens or OAuth. Use when setting up a new Intercom integration, configuring API credentials, or initializing the intercom-client SDK in your project. Trigger with phrases like "install intercom", "setup intercom", "intercom auth", "configure intercom API key", "intercom access token".

2,266 Updated today
jeremylongshore
AI & Automation Featured

shopify-security-basics

Apply Shopify security best practices for API credentials, webhook HMAC validation, and access scope management. Use when securing API keys, validating webhook signatures, or auditing Shopify security configuration. Trigger with phrases like "shopify security", "shopify secrets", "secure shopify", "shopify HMAC", "shopify webhook verify".

2,266 Updated today
jeremylongshore
AI & Automation Featured

hex-security-basics

Apply Hex security best practices for secrets and access control. Use when securing API keys, implementing least privilege access, or auditing Hex security configuration. Trigger with phrases like "hex security", "hex secrets", "secure hex", "hex API key security".

2,266 Updated today
jeremylongshore