Zendesk Support product help forum Zendesk Chat product help forum Zendesk Talk product help forum Zendesk Guide product help forum Zendesk help forum Zendesk Explore help forum Outbound by Zendesk product help forum
  1. Zendesk Develop
  2. Zendesk APIs
  3. Using the Zendesk API

Making API requests on behalf of end users (Zendesk Support) Follow

Avatar
Charles Nadeau
Updated

In Zendesk Support, an authenticated admin can make API requests on behalf of any end user. The end user's email doesn't need to be verified. If a record is created, updated, or deleted, the change is associated with the end user, not the admin.

Making requests on behalf of end users consists of the following steps:

  1. Obtaining an OAuth access token with an impersonate scope
  2. Making the request

Related articles

Obtaining an OAuth access token with an impersonate scope

  1. If not already done, create an OAuth client in Zendesk Support (Admin > API > OAuth Clients).

  2. When requesting or creating the OAuth access token, specify an "impersonate" scope.

    Example when creating the access token with the API:

    curl https://{subdomain}.zendesk.com/api/v2/oauth/tokens.json \
-H "Content-Type: application/json" \
-d '{"token": {"client_id": "your_client_id", "scopes": ["impersonate", "write"]}}' \
-X POST -v -u {email_address}:{password}

    Only admins can use the API to create OAuth access tokens.

    Example when sending a user to the authorization page in an authorization flow:

    https://z3napi.zendesk.com/oauth/authorizations/new?client_id=my_test_client&scope=impersonate+write&response_type=code

Making the request

Only Zendesk Support admins can make requests on behalf of end users.

  1. In your request, use the access token to set an "Authorization" header. cURL example:

    -H "Authorization: Bearer 8b56769914d4c38617a389cab95124042c3c3eadf3f66d5dc9d7df2a7bca21e2"

  2. Set a "X-On-Behalf-Of" header that specifies either the user's username (the user's email address), or user ID. Examples:

    -H "X-On-Behalf-Of: customer@example.com"

    or

    -H "X-On-Behalf-Of: 203427634"

Example request

curl https://z3napi.zendesk.com/api/v2/tickets/1/satisfaction_rating \
  -H "Authorization: Bearer 8d56769914d4a38617a389cab90524042c3c3ebdf3f66d5dc9d7df2a7bca21e2" \
  -H "X-On-Behalf-Of: customer@example.com" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{"satisfaction_rating": {"score": "good", "comment": "Awesome support."}}'

example

The example adds a satisfaction rating to the ticket.

Note: The Create Satisfaction Rating endpoint only works on tickets with a status of Solved, or on tickets that were reopened after being solved. The endpoint doesn't work on tickets with a status of Closed or on archived tickets. For more information, see What's the difference between a solved ticket and a closed ticket.

Comments

4 comments

Sort by Date Votes
  • Avatar
    indra Widjaja

    not working


    API Request


    curl https://{SUBDOMAIN}.zendesk.com/api/v2/tickets/XXXX/satisfaction_rating \
    -H "Authorization: Bearer {FULL_TOKEN} \
    -H "X-On-Behalf-Of: {EMAIL_ADDRESS}
    -X POST \
    -d '{"satisfaction_rating": {"score": "good", "comment": "Awesome support."}}'


    error response:


    {


      "error": {


        "title": "Forbidden",


        "message": "You do not have access to this page. Please contact the account owner of this help desk for further help."


      }


    }

    0
    Permalink
  • Avatar
    Charles Nadeau

    Hi indra,


    The CSAT endpoint only works on tickets with a status of Solved (or reopened after being Solved). Make sure the status of the ticket is not Closed or Archived. Some info on the different statuses:



    • Tickets in solved status, that are not closed by a trigger or automation, are automatically closed after 28 days, regardless of whether there have been updates to the ticket in that timeframe.


    • Closed tickets are locked. They cannot be reopened or updated in any way.


    https://support.zendesk.com/hc/en-us/articles/203660386-What-is-the-difference-between-a-Solved-ticket-and-a-Closed-ticket-

    0
    Permalink
  • Avatar
    Vojtech Soban

    Hi,

    I want to add comments on behalf of end users, according to docs I should just set up author_id

    curl 'https://d3v-bb.zendesk.com/api/v2/requests/109.json' -X PUT -H 'Authorization: Bearer b86c8*********410' -H 'Content-Type: application/json' -d '{"request":{"comment":{"author_id":363284300813,"body":"My comment","uploads":[]}}}'

    but when I refresh the comments I see my (I am admin) user id as author_id. I've tried this article and I am able to add a coment with different author using the X-On-Behalf-Of header but there are two still two issues:

    • it works only for end users with verified email address otherwise I got HTTP 403
    • it works only on server side, in the browser (our application is not server side), CORS complains that X-On-Behalf-Of header is not allowed, and that's true, see Access-Control-Allow-Headers: Authorization,X-Requested-With,X-Prototype-Version,X-Zendesk-API,Content-Type,X-CSRF-Token

    Please how to add comments on behalf of end users?

     

    Thanks

    Regards,

    Vojtech

    0
    Permalink
  • Avatar
    Bryan Flynn (Edited )

    Hello Vojtech -- the behavior you're experiencing is correct.

    Regarding impersonation...

    When using the X-On-Behalf-Of header, you can only impersonate end users. More details are here:

    Making API requests on behalf of end users

    "impersonate" is one of the available scopes that a token may have but it only allows admins to impersonate end users:

    "...allows Zendesk Support admins to make requests on behalf of end users"

    Regarding troubleshooting CORS...

    If you're using the Zendesk Apps framework, make the request using the framework's client.request method with cors:true setting. That keeps your request coming from the same domain and avoids CORS issues (assuming you're not crossing over to another Zendesk instance).

    The reason the request works server-side and not client-side is because CORS is only a browser based convention. Server-side apps don't have a CORS-like concept, so don't have such constraints. The same would be true if you're making the call using cURL (not a browser, so no CORS constraints).

     

    Post back for more detail or if you run into issues.

    0
    Permalink

Please sign in to leave a comment.

Related Articles

Related articles

Powered by Zendesk