Answered

Where is the authorization header for Intercom's webhooks?

  • 13 January 2022
  • 4 replies
  • 258 views
U

I need to setup the Intercom webhook to an external endpoint. But the external endpoint needs an authorization header. I could not find the HTTP header fields in Intercom's webhook configuration.

 

https://www.rfc-editor.org/rfc/rfc6750#section-5

"Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be

passed in page URLs (for example, as query string parameters).

Instead, bearer tokens SHOULD be passed in HTTP message headers or

message bodies for which confidentiality measures are taken.

Browsers, web servers, and other software may not adequately

secure URLs in the browser history, web server logs, and other

data structures. If bearer tokens are passed in page URLs,

attackers might be able to steal them from the history data, logs,

or other unsecured locations."

icon

Best answer by Aparna 17 January 2022, 16:21

View original

4 replies

A

Hey @user2215​ ! Just so am on the same page as you, are you trying to subscribe to a Webhook notification from Intercom and you want it to be sent to a specific URL? If so you can set it up as mentioned in this doc here. The URL you wish you receive the webhook notification request must be HTTPS

N

But how do you send an authentication token with the call to the webhook URL? This should be done in the header of the call, but it’s not apparent where to add headers.

J

Are you using the legacy webhook or the Custom Actions? Not sure for legacy but for Custom Actions, it has a separate Authentication field in Settings. You will need to create the authentication token there, and use it for your Custom Action.

K

Why is this marked as having a verified answer?

The link provided (nor the intercom webhook page) doesn’t explain how to add authorization to the webhook call. As in the docs, you can use https://webhook.site/ to test the webhook calls, and they’re received without authorization.

 

This means that anybody can call the endpoint for the webhook and pass in data….

 

 

Reply


Terms & ConditionsCookie settings