Creating and using OAuth tokens with the API

Have more questions? Submit a request

7 Comments

  • Matt Owens
    Comment actions Permalink

    Not sure if it was intended, but there is .example in the following examples. 

    curl https://{subdomain}.example.zendesk.com/api/v2/oauth/clients.json \
      -v -u {email_address}/token:{api_token}

    curl https://{subdomain}.example.zendesk.com/api/v2/oauth/clients.json \
      -v -u {email_address}:{password}

    0
  • Charles Nadeau
    Comment actions Permalink

    Not intended. I fixed the URLs. Thanks, Matt.

    0
  • Peter Wong
    Comment actions Permalink

    Hi Charles,

     

    Will the token be expired? From the support document, it said that the token will never expire.

    What if I want to have an OAuth Token which is only valid for 2 hours? How should I do?

    Thanks.

     

    1
  • Charles Larry
    Comment actions Permalink

    The statement that "using OAuth tokens for authentication doesn't tie the requests to a specific username and password" is true in the sense that anyone in possession of the OAuth token can use it. However, in a way it is tied to a specific user: the user that created it. For example, if user X creates the token and gives it user Y and user Y uses the token to add a comment to a ticket without setting the author_id of the comment to user Y, then the comment by default will be attributed to user X (the creator of the token).  That appears to be the phenomenon encountered by one user as described in his comment: https://support.zendesk.com/hc/en-us/articles/226316187/comments/360001755167 

    0
  • Bryan - Community Manager
    Comment actions Permalink

    You're correct Charles Larry -- OAuth access tokens/keys are always tied to a particular user. When that key is used, the action is effectively performed under the user who created the key.

    That's why, depending on the context, securing keys is important. For example, if the key was created by an admin and gets made public somehow, whoever has it can perform any action that admin can perform. If a key is leaked somehow, it should be revoked immediately.

    0
  • Scott Franke
    Comment actions Permalink

    Is it possible to use this method/non-grant type tokens to grant access for the Chat APIs?

    The documentation for the Chat Conversation API references setting the scope (singular) to read, write, and chat.

    The Create Token end point has scopes (plural) and errors if you include 'chat'.

    Requested scopes are invalid. Invalid scopes: chat

    Is there another method to set the scope for non-grant type token or do you have to use one of the grant type token methods?

    0
  • Bryan - Community Manager
    Comment actions Permalink

    Hi Scott Franke,

    The above article focuses on generating an access token for Zendesk Support.

    For Zendesk Chat, you'll want to follow the instructions at: Generating a Zendesk Chat OAuth token

    Following those instructions, along with the need for including "chat" in the scope, will return an access token that you can use with the Chat Conversations API.

    It can be confusing, but for legacy reasons, generating access tokens for Zendesk Support, Chat, and Sell are different unfortunately (for now). Hope this clarifies things!

    1

Please sign in to leave a comment.

Powered by Zendesk