Bearer Token Security

Beantwortet

11 Kommentare

  • Thomas Verschoren
    Aktionen für Kommentare Permalink

    In short: NEVER post an API token where an end-user can see it. If you post the token where someone can copy it, it’s as if you’ve given them your admin password.

    But that’s the why not.

    More important, what would be a scenario where you need to use the API? Maybe there is a way to do it securely.

    0
  • Jon Bolden
    Aktionen für Kommentare Permalink

    Ok, I think I'm not understanding then. For example, if I wanted to utilize a script like this using Zendesk's API:

    https://develop.zendesk.com/hc/en-us/community/posts/360001644428-Update-Ticket-via-Ajax-API

    But in the Help Center's script.js, how do I protect the Bearer token? 


    Thanks for your help

    0
  • Jon Bolden
    Aktionen für Kommentare Permalink

    Is encoding the token a solution like suggested here?
    https://develop.zendesk.com/hc/en-us/community/posts/360001643127-Using-jquery-ajax-call-to-access-zendesk-API

    0
  • Thomas Verschoren
    Aktionen für Kommentare Permalink

    Do you want to pre-fill fields in the ticket form? Or what are you trying to accomplish?

    0
  • Jon Bolden
    Aktionen für Kommentare Permalink

    This is an arbitrary example, so ignore the purpose. What I really need to know is if this javascript/jQuery API call is doable to have publicly displayed in the script.js or another publicly accessible JS file. And how to use a bearer token or API token securely in an example like one of these.

    Thanks!

    0
  • Joseph May
    Aktionen für Kommentare Permalink

    Hi Jon-

    There is no way to securely store authentication credentials in Help Center. If you need to authenticate with a third party server via Help Center, consider proxying the request via a third party service.

    0
  • Jon Bolden
    Aktionen für Kommentare Permalink

    Thanks Joseph. I guess I’m confused, Zendesk’s API doesn’t allow the API to do simple things like get a list of user tickets on the homepage without building a separate app and hosting it on a third-party server?

    0
  • Trapta
    Aktionen für Kommentare Permalink

    Hi Jon Bolden,

    If I am not mistaken and is understanding correctly, you want to customize the homepage to show the list of requests an end-user made?

    If so, have you tried looking at this API: https://developer.zendesk.com/rest_api/docs/support/requests#list-requests

    Put the below code in the console and see the results if this is what you want or looking for?

    $.get('/api/v2/requests.json', function (data) { // success callback
    console.log(data);
    });

    Let me know if this solves your issue.

    Thanks

    0
  • Jon Bolden
    Aktionen für Kommentare Permalink

    Yes, exactly but some API calls require authentication. So it looks like there’s no way to fully use the API with JavaScript on the help center without a third-party server?

    0
  • Trapta
    Aktionen für Kommentare Permalink

    @Jon Bolden, if you want to show the tickets of users on homepage then you can use this API without any authentication. It is available for end-users only. However, some API need authentication and it required third-party server for security purposes.

    Thanks

    0
  • Jon Bolden
    Aktionen für Kommentare Permalink

    The example of showing tickets on the homepage was never what I was asking about, it was just an example. Obviously Zendesk does not provide a way to do Authenticated API requests on the Help Center without a third-party service involved, which is a shame. I have my answers, thank you!

    0

Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.

Powered by Zendesk