feat(support): Add Intercom backend for identity verification#108408
feat(support): Add Intercom backend for identity verification#108408sentaur-athena wants to merge 6 commits intomasterfrom
Conversation
github-actions
bot
added
Scope: Backend
|
🚨 Warning: This pull request contains Frontend and Backend changes! It's discouraged to make changes to Sentry's Frontend and Backend in a single pull request. The Frontend and Backend are not atomically deployed. If the changes are interdependent of each other, they must be separated into two pull requests and be made forward or backwards compatible, such that the Backend or Frontend can be safely deployed independently. Have questions? Please ask in the |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
…ication
Add backend support for Intercom messenger with JWT-based identity verification:
- Add intercom.app-id and intercom.identity-verification-secret options
- Create OrganizationIntercomJwtEndpoint for generating signed JWTs
- Add INTERCOM grant type to DataAccessGrant model for ticket tracking
- Update get_active_tickets_for_organization to include both providers
- Add organizations:intercom-support feature flag for gradual rollout
- Register /api/0/organizations/{org}/intercom-jwt/ endpoint
The JWT is signed with HS256 and includes user_id, email, name, and
organization context. Tokens expire after 5 minutes for security.
The feature flag allows gradual rollout and serves as a killswitch
to instantly revert to Zendesk without code deployment.
Add isinstance check for AnonymousUser to narrow the type of request.user for mypy, which sees it as User | AnonymousUser.
Register the endpoint pattern so the frontend routes requests correctly.
Fixes timing issue where third-party widgets (like Intercom) try to access the DOM before it's ready, causing appendChild errors.
sentaur-athena
force-pushed
the
athena/intercom-backend
branch
from
85ee1b6 to
74f3792
Compare
michelletran-sentry
left a comment
michelletran-sentry
left a comment
There was a problem hiding this comment.
Generally LGTM. Just have a few questions.
| ) | ||
|
|
||
| # Intercom Integration | ||
| register("intercom.app-id", default="", flags=FLAG_PRIORITIZE_DISK | FLAG_AUTOMATOR_MODIFIABLE) |
There was a problem hiding this comment.
This currently looks unused. It looks like it's encoded into the frontend? Do we need this here?
There was a problem hiding this comment.
@michelletran-sentry I have to register an env var for the app id and app secret. I actually don't know what's the best way, looks like it should live in getsentry looking at other existing code. Let me know if you know the answer: https://sentry.slack.com/archives/C039ZGT5K/p1772060405590499
There was a problem hiding this comment.
It's used here in the backend: https://github.com/getsentry/getsentry/pull/19394
Will remove it from this PR because at this point I think it belongs to getsentry.
| claims = { | ||
| "user_id": str(user.id), | ||
| "email": user.email, | ||
| "name": user.get_display_name(), |
There was a problem hiding this comment.
The name claim looks like it's an optional claim in Intercom. Are we planning on enforcing it?
There was a problem hiding this comment.
Good point. I think we want it but shouldn't enforce it.
|
|
||
|
|
||
| @control_silo_endpoint | ||
| class OrganizationIntercomJwtEndpoint(ControlSiloOrganizationEndpoint): |
There was a problem hiding this comment.
nit: do we need Organization in the class name? Maybe
| class OrganizationIntercomJwtEndpoint(ControlSiloOrganizationEndpoint): | |
| class IntercomJwtEndpoint(ControlSiloOrganizationEndpoint): |
?
There was a problem hiding this comment.
our endpoints that are like ../organization/{slug}/... are named organization endpoint. No strong opinion.
2 participants
End goal:
We want to replace Zendesk with Intercom in product. Here is a helpful diagram about how the pieces get connected in the end: https://www.notion.so/sentry/Migration-Plan-Zendesk-to-Intercom-Chat-in-Sentry-Product-30a8b10e4b5d807c9bcdef3105761dda?source=copy_link#30a8b10e4b5d80e7aa7af9b9a58f2c47
This PR:
Add backend support for Intercom messenger with JWT-based identity verification. Zendesk Auth was session based and didn't need this in the past which is why we need a new endpoint:
The JWT is signed with HS256 and includes user_id, email, name, and organization context. Tokens expire after 5 minutes for security.
The feature flag allows gradual rollout and serves as a killswitch to instantly revert to Zendesk without code deployment.
E2E testing:
Tested using ngrok and the next PR in stack. Request goes through in happy path denied from unknown domains.