Question
How can I authenticate API requests using one of Zendesk v2 API's?
Answer
You must be a verified user to make API requests. You can authenticate API requests using basic authentication with your email address and password, with your email address and an API token, or with an OAuth access token.
All methods of authentication set the authorization header differently. Credentials sent in the payload (body) or URL are not processed.
This article includes information on the following topics:
Basic authentication
If you use basic authentication, combine your email address and password to generate the authorization header.
The email address and password combination need to be a Base-64 encoded string.
The authorization header should be formatted like this:
Authorization: Basic email_address:password
API token
If you use an API token, combine your email address and API token to generate the authorization header.
The email address and API token combination need to be a Base-64 encoded string.
The authorization header should be formatted like this:
Authorization: Basic email_address/token:api_token
OAuth access token
If you use OAuth to authenticate, the authorization header should be formatted like this:
Authorization: Bearer oauth_access_token
For more information, see this article: Using OAuth authentication with your application.
Viewing your authorization header
If you want to see exactly what is sent by your app, use a page like http://requestb.in/. It's helpful to compare your headers to those being generated by an HTTP target using basic authentication. Point an HTTP target to the same requestb.in page and choose Test Target to see this in action:
Once that hits your requestb.in, it shows up like this:
The string following "Authorization: Basic" is dXNlckBlbWFpbC5jb206b3BlbnNlc2FtZQ==
This is the base64-encoded version of the username/password. To de-code that manually, head to a page like https://www.base64decode.org/, paste the string into the upper box, and click Decode:
If you use python to make requests, it should be possible to set your session headers as follows:
session = requests.Session()
session.headers = {'Content-Type': 'application/json', 'Authorization': 'Basic Basic_64_encoded_code'}
For more detailed information on authentication, see our developer documentation on Security and authentication.
54 Comments
Hey Cem,
You can create a trial account by navigating to https://www.zendesk.com/register and entering your information there.
I hope this helps!
Having issues authenticating.
Code in js:
headers: {'content-type': 'application/json', authorization: 'basic myemai@email.co.uk/token:XXXX'}
returns: {"error":"Couldn't authenticate you"}
Hi Marco,
Could you try base-64 encoding that username/token:XXXX string as described in https://developer.zendesk.com/rest_api/docs/support/introduction#basic-authentication
to see if that works better?
Hi Dwight,
I tried but it still doesn't seem to work.
_header: 'GET /api/v2/tickets/380289/comments.json HTTP/1.1\r\n' +
'content-type: application/json\r\n' +
'authorization: email@email.co.uk/token:XXXXX...3F5\r\n' +
this is part of what outputs in my terminal. I'm trying to access ticket info and I'm using the token created via zendesk
Removing my email and appending '==' didn't seem to fix the issue, if that is what the above is referring to?
Hi Marco,
Apologies - I should've clarified better. You'll need to base-64 encode your email/token:TOKEN and use that within the authorization header.
So if your credentials look like this:
email@email.co.uk/token:token_value_here
the base-64 encoded version would look like this:
ZW1haWxAZW1haWwuY28udWsvdG9rZW46dG9rZW5fdmFsdWVfaGVyZQ==
and the auth header would look like this:
'Authorization: Basic ZW1haWxAZW1haWwuY28udWsvdG9rZW46dG9rZW5fdmFsdWVfaGVyZQ=='
There are a number of tools to do that base-64 encoding. Here's a website that describes how to do so from the command-line: https://scottlinux.com/2012/09/01/encode-or-decode-base64-from-the-command-line/
There are also online sites on which this can be done if you're not worried about security of the credentials involved: https://www.base64encode.org/
If you're still having difficulty with this, please raise a ticket with our support team so we can take a closer look at logs for your account.
That's fixed it thank you!
Except for using email: password, can I use other identity like phone: password to do the authentication?
Hi Yawei,
Our API requires the use of either an email address or an OAuth bearer token.
Is that mean if user does not have email we only can use OAuth to do authentication
That is correct. Per https://developer.zendesk.com/rest_api/docs/support/introduction#security-and-authentication
hi Dwight Bussman,
I called the api :/api/v2/targets.json to add a target. Set username and password in target and create target successfully. But found password has not set successfully.
And when received the webhook found the Authorization header returned without password
HeyO Lavender Song,
When testing this using a target payload as follows:
{
"target": {
"title": "Target created from API",
"type": "url_target_v2",
"active": true,
"method": "POST",
"username": "user@example.com",
"content_type": "application/json",
"password": "somethingsecret",
"target_url": "https://hookb.in/xxxxxxxxx"
}
}
I see the following response:
This means that the API call is ignoring that password parameter. I'm reaching out to the team in charge of Targets to see if there's another way to pass that in when creating a target, or if this is an intended limitation. I'll let you know what I hear back
Thanks for bringing this to our attention. Our Developers have just released code which resolves this issue of the password being stripped out when creating targets via the API.
Dwight B. | Customer Advocate | support@zendesk.com
hi Dwight Bussman,
Well done. Have tested and it works well now.
Thanks
Many questions raised here before me, for the last 2 years.
If someone has an issue sending a base64 encoded API_Token, he can use my few lines of scripts to do so.
Python3:
Hello Tomer Ben Arye,
Could you explain your problem with a bit more detail so we can better help you?
Best regards.
Hey Devan,
My post was a code to all the other people here, that were struggling to make it happen....
So, my code works fine, but you're right, I didn't include a proper "header" for it.
TL;DR,
If someone has an issue sending a base64 encoded API_Token, he can use my few lines of scripts to do so.
Thank you for sharing your solution, Tomer!
Hello,
I am using Postman. Auth is Basic Auth that is my email address and Zendesk password. When I run help_center GET request, 200 response returns. However, when I try to run Zendesk Support (GET) request, 401 Unauthocated returns even though I use the same email and password for Basic Auth. Has anyone experiences the same error before? Any insights for this solution?
Sorry if I am missing very basic steps before running requests.
Hi Saori,
It looks like Password Access is disabled for your account. Could you please head into Admin > Channels > API > Settings and confirm that the password-access switch is flipped on?
I suspect the Help Center page works because it can return results un-authenticated, so it's ignoring the username/password.
I am successfully querying the search API using an API token, however, because our app uses SSO for user authentication, if that user is not logged into zendesk already, image content does not display. Based on the response above, using a JWT for authentication is not an option (although confusingly this does seem to be an option using the Zendesk widget, which appears to be making use of the same general API endpoints).
How can I either pre-fetch or otherwise authenticate a user with regard to fetching restricted content media (images, specifically?). Using Oauth is not an option, since we are making use of SSO.
Hello C. Taf,
There have been requests for additional means to authenticate (such as a JWT/Authorization header approach). However, the three approaches mentioned in the above article are the only ones currently available for straight API requests (i.e. ones that do not rely on a session cookie from a Support agent login).
Keep in mind, too, that when using an API token, it should only be used by a server-side solution as you want to keep the token secure and not expose it client-side.
While this isn't the answer I'm sure you were hoping for, I wanted to set current expectations, so you can determine what the best next steps might be.
Thanks for your response, however, we weren't seeking an additional JWT-enabled mechanism for authenticating API requests (though this would be great, and again reading between the lines does appear to be an option with the widget). Authentication in general is not the issue (and of course the API token is kept server-side) as we are successfully querying the API.
The issue is that attachment content URLs return a 302 when utilizing an SSO implementation.
I see you created a new post C. Taf, so will pick things up over there.
Please sign in to leave a comment.