Zendesk provides 3 ways of authenticating API requests:
- basic authentication with a username and password
- API token
- OAuth access token
You normally opt for OAuth tokens when you need users to grant your application access to their accounts. This involves building an OAuth authorization flow.
You can also use OAuth tokens for other types of requests that don't require user authorization. For example, you might use them in applications used by internal staff or by the general public. Using OAuth tokens for authentication doesn't tie the requests to a specific username and password, and it offers more control and security than plain API tokens.
The following example is a request that uses an OAuth token for authentication:
curl https://obscura.zendesk.com/api/v2/users.json \
-H "Authorization: Bearer 52d7ef4ee01e2c2c75bff572f957cd4f12d6225eee07ea2f01d01a"
Topics covered in this article:
Creating a token with the Zendesk API
The section describes the steps to create an OAuth access token with the Zendesk API:
You can use basic authentication or an API token to make Zendesk API requests. Don't confuse an API token with an OAuth access token. You can get an API token from the Support admin interface. See API token in the Support API docs.
If your organization uses single sign-on (SSO) and the Zendesk passwords were deleted from the Zendesk account, you'll have to use an API token to make the requests.
Create an OAuth client
- In Zendesk Support, select Admin > Channels > API > OAuth Clients.
- Complete the form. See Registering your application with Zendesk for details.
Get the client ID
Use the List Clients endpoint to get the id of your new client.
Request
Basic authentication
curl https://{subdomain}.zendesk.com/api/v2/oauth/clients.json \
-v -u {email_address}:{password}
API token
curl https://{subdomain}.zendesk.com/api/v2/oauth/clients.json \
-v -u {email_address}/token:{api_token}
Response
{"clients":
[
{
"name": "OAuth client for my app",
"id": 50328,
"user_id": 293241756,
...
},
...
]
}
Create the access token
Use the client id in the Create Token endpoint to get an access token.
The endpoint can only be used by Support admins.
Request
Basic authentication
curl https://{subdomain}.zendesk.com/api/v2/oauth/tokens.json \
-d '{"token": {"client_id": "50328", "scopes": ["read", "write"]}}' \
-H "Content-Type: application/json" \
-X POST -v -u {email_address}:{password}
API token
curl https://{subdomain}.zendesk.com/api/v2/oauth/tokens.json \
-d '{"token": {"client_id": "50328", "scopes": ["read", "write"]}}' \
-H "Content-Type: application/json" \
-X POST -v -u {email_address}/token:{api_token}
Learn more about scopes in Setting the scope in the Zendesk Support Help Center.
Response
{"token":
{
"full_token":"52d7ef4ee01e2c2c75bff572f957cd4f12d6225eee07ea2f01d01a",
"scopes":["read","write"],
...
}
}
The full_token property specifies the access token. Keep the value in a safe place.
Use the access token in requests
Use the access token in an Authorization header in your requests. Example:
curl https://{subdomain}.zendesk.com/api/v2/users.json \
-H "Authorization: Bearer 52d7ef4ee01e2c2c75bff572f957cd4f12d6225eee07ea2f01d01a"
In cURL, the -H flag indicates a header field.
14 Comments
The statement that "using OAuth tokens for authentication doesn't tie the requests to a specific username and password" is true in the sense that anyone in possession of the OAuth token can use it. However, in a way it is tied to a specific user: the user that created it. For example, if user X creates the token and gives it user Y and user Y uses the token to add a comment to a ticket without setting the author_id of the comment to user Y, then the comment by default will be attributed to user X (the creator of the token). That appears to be the phenomenon encountered by one user as described in his comment: https://support.zendesk.com/hc/en-us/articles/226316187/comments/360001755167
You're correct Charles Larry -- OAuth access tokens/keys are always tied to a particular user. When that key is used, the action is effectively performed under the user who created the key.
That's why, depending on the context, securing keys is important. For example, if the key was created by an admin and gets made public somehow, whoever has it can perform any action that admin can perform. If a key is leaked somehow, it should be revoked immediately.
Is it possible to use this method/non-grant type tokens to grant access for the Chat APIs?
The documentation for the Chat Conversation API references setting the scope (singular) to read, write, and chat.
The Create Token end point has scopes (plural) and errors if you include 'chat'.
Requested scopes are invalid. Invalid scopes: chat
Is there another method to set the scope for non-grant type token or do you have to use one of the grant type token methods?
Hi Scott Franke,
The above article focuses on generating an access token for Zendesk Support.
For Zendesk Chat, you'll want to follow the instructions at: Generating a Zendesk Chat OAuth token
Following those instructions, along with the need for including "chat" in the scope, will return an access token that you can use with the Chat Conversations API.
It can be confusing, but for legacy reasons, generating access tokens for Zendesk Support, Chat, and Sell are different unfortunately (for now). Hope this clarifies things!
We have an ETL script from Zendesk to our own Database; we want to make sure this one continues to work even if the person that generates the token is no longer with the company. We've been using a basic + token authentication method; however, it is tied to a user.
Would you recommend using an OAuth token instead? Would this keep the token alive even if the user/admin that generates it is deactivated?
Thanks
Hi Eddy Castillo. For API access to Zendesk Support, these are the possible ways: How can I authenticate API requests
All the available approaches are tied to a user, however. There is no "machine to machine" type user.
The closest you can get to creating a more permanent, non-user-based access token is to fake it and create a specially identified "agent" for these purposes.
The bottom line is, if a user is disabled, their access is disabled, even if they use an OAuth access token. Hope this at leasts sets expectations!
hi,
i have been following the documentation on implementation of Chat API https://developer.zendesk.com/rest_api/docs/chat/auth
there is a step to getting access token for user, I was trying to do the instruction as in screenshot
the part of
code={your_code}is not clear to me, what is this {your_code} suppose to be filled in?
thank you!
Hi Lev,
Mentioned cURL call and code part refers to the code that would be generated after user would allow access of your app to their Chat instance. This is the code that we are talking about:
You get the code (after user provides required access) and use it in your cURL call/app right away.
hi Sergei
thank you for the reply i have worked my way around this one,
but i have noticed that when I tried to get an access token with scope = read write, i get the token as expected, but when I try to set the scope = chat (as i will need using chat api later), i got this response with "quote",
do you have any idea what step should i proceed here
Another reason I make scope to chat is because when I using my access token (generated with scope read and write) to access conversation api,
i got error as
invalid scope :/
thank you
Hi Lev,
To create OAuth token for chat you would need to follow a different path. See here:Chat API tutorial: Generating an OAuth token (integrated Chat accounts)
You get mentioned error because scope is indeed incorrect. List of allowed scope objects can be found in this article: Using OAuth authentication with your application, but this is not the OAuth flow you are after, in any way.
Hope this is helpful.
hi Sergei
i followed the steps in https://support.zendesk.com/hc/en-us/articles/115010760808-Chat-API-tutorial-Generating-an-OAuth-token-integrated-Chat-accounts-
which is actually what I did before, Got my access token no problem, in the response I see that the scope is
{"access_token": "*****************************", "token_type": "Bearer", "scope": "read write", "refresh_token": "************************"},
Am i able to use this token for chat conversation api? "https://chat-api.zopim.com/graphql/request";
because in my own App, i will be using this conversation Api to allowed my end user to chat with Agent through my app
thank you
a bit more note
I also tried with "Scope= chat" when request an access token, i added a screenshot here
although the response is the same scope as read and write,
then when I tried again to access conversation API with this token
I got the same error message
Hi Lev,
I have created a support ticket for your query, just so that we can work on your specific question.
See you later!
thank you Sergei
Please sign in to leave a comment.