Accessing help center API from private app



  • Bryan - Community Manager
    Comment actions Permalink

    Hi Ola. Calling Help Center APIs across subdomains, even when they're brands on your account, is currently a challenge.

    Because you're crossing domains, you need to provide authentication info.

    AND, because you're crossing domains, you need to be aware that a "Bearer" token (and not just "Basic") is needed, as mentioned here:

    Client-side CORS requests are supported if the request is authenticated with an OAuth access token.

    That means you'll need to expose an OAuth Bearer token in your client side app.

    That said, if you make a ZAFClient client.request cors:true call with a Bearer token, the call will work.

    If you're doing just GET calls, you could limit the risk of exposing an OAuth access token by using a read-only "hc:read" scoped token in the Help Center API call. Since the app is only exposed to agents, this also limits risk.

    You can create the OAuth token a number of ways, including through the API using cURL. Example:
    curl -v -u --request POST '' --header 'Content-Type: application/json' --data-raw '{"token": {"client_id": 1234567890, "scopes": ["hc:read"]}}'
    "client_id" is the numeric ID of the OAuth client in your Zendesk Support instance. See GET /api/v2/oauth/clients.json to list OAuth client IDs.

    You can then do a cross-origin, read-only call to the other brand's HC API. Example:

    let settings = {
    dataType: "json",
    method: "GET",
    url: "",
    cors: true,
    headers: {"Authorization": "Bearer 571cdf9848571cdf9848571cdf9848571cdf9848571cdf9848571cdf9"}

    client.request(settings) .then(data => console.log("success:", data)) .catch(error => console.log("error:", error))
    This may seem like a lot of work to just access your own data, but part of the challenge is working around general internet standards, such as cross-origin calls. Hope this helps!

Please sign in to leave a comment.

Powered by Zendesk