Enabling JWT (JSON Web Token) single sign-on

Return to top
Have more questions? Submit a request


  • Cyndi Lopez

    What is the 'locale' id passed in the payload used for? Currently after logging in a user is directed to <your-domain>.zendesk.com and not sure how it knows what language to default to and whether this default language can be changed by passing in a locale through the payload

  • Brett Bowser
    Zendesk Community Team

    Hey Cyndi,

    I see this is your first post in the forums so I just wanted to say welcome!

    Regarding your question, are you asking what language would be presented to the user when they navigate to your Help Center? You may want to take a look at the following article: Help Center default locales and language detection

    Let me know if that doesn't get you the information you're looking for.


  • Mike Riforgiate

    Once we set up SSO JWT in Zendesk and Wordpress Zendesk plugin, what link can we provide our customers that will use their creds from our site and send them to any tickets they have open in our zendesk?


    We currently have a link called "tickets" on our website for our customers with the target being https://ourcommpany.zendesk.com/agent and they get an access denied result.

  • Nathan Owens

    The documentation states that the tags value should be a JSON array.  So, assuming I have two tags, let's say "tag1" and "tag2", I would expect it to look like this: "[\"tag1\",\"tag2\"]" however this doesn't work.  What does work is simply making the tags value a comma separated list like so: "tag1,tag2".  This is not a JSON array, but it seems to work.  

    The one I just can't figure out is user_fields.  The documentation states it should be a JSON hash, so I would expect something like this: "{\"enrollment_date\":\"2014-10-08\", \"is_admin\":true}" etc.  This causes an error that states the JWT token is invalid.  In fact, including any value at all in the user_fields, causes that error.  Can someone please provide an example of the format for the user_fields claim?

  • Raghav Mishra

    Thanks for this amazing Article. 
    I have been working on a custom support, that will have a login page. I want my users to login to their zendesk from this login. I guess SSO using JWT may be the best way. 
    I have a React application, How can I Proceed with this? 

    I have added the steps below, can someone please confirm if I'm missing something? 

    1. Send the user credentials to My server, (when the user logs in).
    2. Authenticate the user. 
    3. Once authenticated, Generate a JWT token and send it with the new URL generated to the react app as response. 
    4. The webapp redirects to zendesk and back to my application. This process includes saving the session for Zendesk (now my browser holds session for zendesk).

    Did I miss out anything? Also Please let me know how can I authenticate my user? 
    Note: I'm using Node on the Backend. 

    Thanks for the help in advance. 

  • Raghav Mishra

    The process works fine as expected and I get logged into Zendesk with the url along with token. But, I want to jump to a different page, once the zendesk session is set. 
    Here is the behavior I'm expecting : 

    1. I login with the user credentials on my custom application.
    2. User is authenticated from my server and I also get a JWT.
    3. I want to redirect to Zendesk with the JWT and then back to my application. (so the Zendesk session is saved and whenever I open zendesk, It opens up as logged in).

    I tried adding return_to with a non Zendesk URL, but it does not work. How can I get this thing to work? 

    Thanks in Advance for the help.

  • Julien Poirot


    I'm trying to do the same thing that Raghav requested 2 posts above: once authenticated, redirect to Zendesk with the JWT payload and then back to the application.

    So I'm redirecting to abc.zendesk.com/access/jwt?jwt=token&return_to=https://my_app_url/

    It redirects to the return_to url but the Zendesk session is not opened. Is there another way?

  • Brenda Cardinez
    Zendesk Customer Advocate

    Hi Julien, 

    I'm sorry for any inconvenience. I've created a ticket for your question so we can look into your specifics with you. Thank you! 


    We are trying to setup JWT and everything is meeting Zendesk requirement.
    But got the error "JWT signature invalid. The signature cannot be verified ,check that your tokens match."
    We cannot do anything to this message now.Can someone help here?
    Thanks in advance!

  • Shayne Traqueña
    Zendesk Customer Advocate

    Hi Xiengcheng Jin,

    Thanks for reaching out, happy to help here! As for the error, possible cause is that the shared secret used to generate the hashed portion of the payload does not match the shared secret listed under Security > SSO > JSON Web Token.

    Since only the first several characters of the shared secret are displayed in the Zendesk UI, generally users who receive this error must generate a new shared secret and update the JWT script with the new secret.

    Additional cause/s:
    - The supplied JWT headers do not contain the "typ" or "alg" parameter. Most JWT implementations should supply these headers automatically.
    However, if your team rolls your own implementation (or uses an out-of-date version of our Classic ASP implementation) this error may appear. Most JWT implementations should supply these headers automatically. In this case, Base64 decoding the first section (headers) of the request's JWT parameter can confirm this as the cause of the issue. If either the "typ" or the "alg" parameter is missing, the error can appear:


    I hope this helps and points you in the correct direction.


    Shayne Traqueña

  • The Solvvy Team

    When my nodejs backend redirects to the `https://<mydomain>.zendesk.com?jwt=xxxx` url, I can see that the redirect was blocked because of CORS policy. 

    Access to XMLHttpRequest at 'https://xxxx.zendesk.com/access/jwt?jwt=xxxx' 
    (redirected from 'https://api.mydomain.com/v1/auth/login')
    from origin 'https://dashboard.mydomain.com' has been blocked by CORS policy:
    Response to preflight request doesn't pass access control check:
    No 'Access-Control-Allow-Origin' header is present on the requested resource.

    Is there any setting in the Zendesk Admin panel, that I should change so that zendesk's CORS policy allows redirect from my domain?

  • Shayne Traqueña
    Zendesk Customer Advocate

    Hi there!

    Regarding the error you are receiving, please make sure to check out our article here:


    I hope this helps!



  • Charlie Lloyd

    This for Simran. For some reason I got notified of your comment but can't see it here.

    Remove the exp from your payload. Zendesk doesn't like it. Here is a snip from my C# code:

    JwtSecurityToken token = handler.CreateJwtSecurityToken(descriptor);
    foreach (KeyValuePair<string, object> entry in payload)
    token.Payload[entry.Key] = entry.Value;

    //Zendesk not expecting nbf

    //Zendesk doesn't support exp

  • Simran Khosla

    Hey Charlie thanks so much for your response!
    I actually deleted my comment because I realized we just hadn't hit the button for Team Members to check the box to use JWT. =\ Foolish mistake on my end and all seems to be working fine now!

     But thank you for your note! I can absolutely remove expiration time to clean this up as well ! 

  • Simran Khosla

    One more question for you Charlie. 
    We'd like to pass both an organization and an organization_id as part of the JWT when we login / create users. There's a few things I'm confused about -- i

    1. It says if we pass an organization_id claim on the token "If both organization and organization_id are supplied, organization is ignored." -- we're looking to see how we would get both pieces of information in there. Essentially our data is structured with Org#22: Organization Name. So we'd like to pass both pieces of information over here so we can store the ID and the Organization name. How would you suggest we do this? Should we just add it to a custom user field instead and use Organization. 

    2. We also have a case where users can have multiple organizations so we know we can pass strings as the organizations attribute but, is it possible to also supply a set of IDs there?

    Thanks in advance for your assistance!

  • Charlie Lloyd

    Hi Simran,

    It was a long time ago when I worked on it, I don't know if you can free form name - value pairs in the payload. 

    The way we do Zendesk is to create many "brands" that correspond to our products and beyond that we use Zendesk tags to create permission groups of who can see what within a brand. Tags are an array so you could encapsulate a lot of logic based on them if you desired.  


    // // create payload to log designated Epicor app user onto Zendesk wtih tags
    payload = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase) {
    { "iat", timestamp },
    { "jti", System.Guid.NewGuid().ToString() },
    {"tags", aryTags },
    { "name", userName },
    { "email", userEmail }

  • Itay Mendelawy

    hi Charles Nadeau or anyone from the content team... there's missing information in this article that is very critical for my implementation.

    1. the JWT attributes mention the ability for setting up multi-org membership with the "organizations" attribute. However, this attribute is not documented.

    2. when i'm using the "organization" attribute, will zendesk create the org if it is not created?


Please sign in to leave a comment.

Powered by Zendesk