Connect a support-conversation channel (Chatwoot / Intercom)
SupaCloud can act as the AI-resolution backend behind Chatwoot and Intercom.
An inbound customer message is HMAC-verified, enqueued as a gated backlog item,
and worked by an agent that reads and replies through governed conversation.*
tools — one ConversationProvider seam, two transport adapters.
Prerequisites
Section titled “Prerequisites”- A Chatwoot account (self-hosted or cloud) with an agent-bot access token, or an Intercom workspace with a workspace access token.
- For Chatwoot: the instance base URL + the numeric
account_id. For Intercom: the region (us/eu/au) + the botadmin_id. - The webhook signing secret each platform will sign deliveries with (the
Chatwoot inbox HMAC secret / the Intercom app
client_secret). - A workspace where you can create resources and a workflow.
-
Create the channel resource.
In Resources → New, pick Chatwoot or Intercom.
- Chatwoot — set
base_url(e.g.https://chat.example.com) andaccount_id; paste the agent-bot access token as the secret. Because a self-hosted host is operator-supplied, every outbound call to it goes through SupaCloud’s SSRF-pinned client. - Intercom — choose the
regionand set the botadmin_id; paste the workspace access token as the secret. Intercom’s regional API host is a fixed allowlist, so no host needs SSRF-pinning.
- Chatwoot — set
-
Add an inbound conversation trigger.
On the workflow that should handle conversations, add a trigger of kind
chatwoot_conversationorintercom_conversation. Configure:resource_id— the channel resource from step 1 (auto-bound when the workspace has exactly one of that kind).signing_secret— the webhook HMAC secret the platform signs with.mode—auto-reply(agent answers autonomously, under your autonomy / budget gates),human-gate(answer held for human approval), ornotify-only(verified deliveries are acked but start no agent work).
The trigger cannot be enabled until both a
resource_idand asigning_secretare present. Copy its receiver URL from the workflow’s Triggers panel. -
Wire the platform webhook.
Point the platform at the trigger’s receiver URL:
-
Chatwoot (Settings → Integrations → Webhooks): subscribe to Conversation Created + Message Created, set the HMAC secret to your
signing_secret. SupaCloud verifiesX-Chatwoot-Signature= HMAC-SHA256 over{X-Chatwoot-Timestamp}.{body}, with a stale-timestamp replay guard.POST <server public_url>/api/workflows/triggers/chatwoot/<token> -
Intercom (Developer Hub → Webhooks): subscribe to
conversation.user.created+conversation.user.replied, set the trigger’ssigning_secretto your app’sclient_secret. SupaCloud verifiesX-Hub-Signature= HMAC-SHA1 over the raw body.POST <server public_url>/api/workflows/triggers/intercom/<token>
-
-
Let the agent resolve conversations.
A verified new conversation / incoming customer message is enqueued as a backlog item and dispatched under the same autonomy, budget and quiet-hours gates as any other work. The agent reads and acts on the conversation through the
conversation.*MCP tools:conversation.get/conversation.list(read), andconversation.reply/assign/resolve/handoff(ops). A customer-visible reply rides the same SSRF-vetted sender;handoffis the explicit escape hatch back to a human team.