Jonathan Elkin

We are using the “Create Request” method of the Requests API to create a new ticket from a custom form on our website.

When using an authenticated request, we are supposed to provide an email address along with the api_token in this format:

{email_address}/token:{api_token}

The API Token is “Not associated with a specific Zendesk user. However, you must provide an email address for an admin, agent, or other valid user when authenticating requests.”

What is the purpose of the requirement to specify an email address when authenticating?

I don't see much upside – it would be fairly easy for an outsider to guess the email address of some (any!) Zendesk user at the organization. And chances are that if an attacker somehow gets access to the API Token, they'll also have access to the email address.

The downside is that it introduces a failure mode whereby if that user is ever removed from Zendesk (e.g., they change roles or leave the company), it will require updating the email address used by any apps that are calling the API, or else they'll stop functioning. Deletion of a user from Zendesk (who in all likelihood has nothing to do with use of the API) should not have the possible side effect of breaking API access! (In fact, you specifically designed the API Token mechanism such that deleting the user who created an API token will not disable/delete that token – which is good – but then it's undermined by still tying API calls to a particular user.)

Introduction of this totally foreseeable and avoidable failure mode seems like an unforced error. It's a problem that's waiting to happen, and for little to no upside.