Using OAuth authentication with your application



image avatar

Charles Nadeau

Zendesk Documentation Team

Edited Jun 16, 2025


15

65

65 comments

Hi Zendesk Team,
I want to know how can I change the refresh_token expires_at. Currently it is by default 30 days.

0


With the new Oauth updates mentioned here, will we be required to set a “refresh_token_expires_in”?  If the parameter is not included, will the access token have an expiration? 

1


I am facing same issue as mentioned in above comment.

I have created a oAuth client with kind as confidential. I am using the /oauth/token API to get token by using client id, client secret, scope and grant as client_credentials. I am get the token, but when i use it with Ticket API, i get 401 "Couldn't authenticate you"

However when i use the other token endpoint /api/v2/oauth/tokens, the access token recieved works fine with Ticket API or rather any other API.

What am i missing ?

1


I tried using client credentials flow with no luck. My client is confidential, I used client secret, no PKCE and the scope was “read”. The token was generated successfully with user_id null as I expected it. However, I can't do anything with it. No matter what endpoint I use, I always get 401 response. When I inspect the token, I see used_at to be the timestamp when I got the 401 response.

Are there any restrictions on what I can use this token for?

1


Are there any plans to add support for expiring access tokens? Having no expiration on access tokens negates a lot of the benefits of OAuth. It sounds like the overall approach to OAuth is being rethought, so wondering if expiration will be added as well.

1


Zendesk recently announced support for OAuth2 client credentials flow. 

 

https://support.zendesk.com/hc/en-us/articles/8983332483226-Announcing-support-for-OAuth-2-0-Client-Credentials-grant-type

 

I am curious what “user” the client credential runs as? An issue we have had is that it has to run as a single user that has to be maintained an in worse case is deactivated etc. Can this new client credentials scheme operate without running as a particular named user in Zendesk?

1


Now that all grant flows other than the authorization code grant flow have been deprecated, there is no longer a supported grant flow that is suitable for purely server-to-server communication (no user involved), correct?

 

Are there any plans to add support for a grant flow more suitable for server-to-server communication such as the client credentials flow?

0


I'm having the same issue with Amit.

 

“Invalid Authorization Request”

• Error: invalid_request

• Description: “The request is missing a required parameter, includes an unsupported parameter or value, or is otherwise malformed.”

 

https://{subdomain}.zendesk.com/oauth/authorizations/new?response_type=code&redirect_uri={URI}&client_id={UNIQUE_IDENTIFIER}&scope=read

 

 

Anyone has any ideas?

0


I’m trying to implement OAuth authentication, but I’m getting a generic error:

 

“Invalid Authorization Request”

• Error: invalid_request

• Description: “The request is missing a required parameter, includes an unsupported parameter or value, or is otherwise malformed.”

 

URL I’m using:

https://{subdomain}.zendesk.com/oauth/authorizations/new?response_type=code&redirect_uri={URI}&client_id={UNIQUE_IDENTIFIER}&scope=read

 

Can you help me debug this?

1


I can get everything to work except the final step when calling “https://{subdomain}.zendesk.com/oauth/tokens”. This is returning a CORs error, and hence, we cannot move forward. All other endpoints work fine, and if I call the endpoint using CURL and the same parameters, I get a valid response. So this is purely a CORs issue. Can you help?

0


Sign in to leave a comment.