Generating a new API token Follow

Comments

8 comments

  • Avatar
    Nathan McClintock

    The Token Access slider is set to 'enabled'. I cannot for the life of me find the 'Add new token' button/URL. I am an administrator. Help! 

    Cheers

  • Avatar
    Jacob J Christensen

    Understandable, it is a very discreet looking plus sign below the slider(s).

  • Avatar
    Gal Zohar

    Hi,

    Is the following statement correct: "An API token is connected to the user who created it. If that user is deleted, or demoted from an admin role, any external platform using this token will not have access anymore". 

    If this is correct, is there a way for an admin to create a token which is connected to another admin user (e.g. an integrations user who will never leave the company or get another role)?

  • Avatar
    Gail Leinweber

    Hi Gal,

    Yes, the token would still be valid if it was taken from a deleted user, so it should be possible to use it with another admin user.

     

  • Avatar
    Heather Cook

    Hi Team,

    Is there a way to link a token to a user in Zendesk?

    Currently if a token is shared to a user for them to use and they are a Light Agent, they can use this to call the API. If that user realises that instead of using their log in name, but instead uses the log in name of an Admin then they can use that token and the admin log in name to use the API. This seems incredibly insecure...

    Is this our set up that we need to change? Or Zendesk set up in general?

  • Avatar
    Dan Kondzela

    Thank you, Heather. 

    You are correct in that if a user is going to have access to a token attributed to a different user it would be insecure, as tokens are inherently private methods of authentication. It would be similar to sending passwords out, and we advise against sharing Tokens amongst agents for this reason.

    Light Agents still ought to be able to call basic endpoints with only their password as authentication, but if you need more scope you can utilize OAuth: https://support.zendesk.com/hc/en-us/articles/203663836-Using-OAuth-authentication-with-your-application

    Thanks!

  • Avatar
    Michael Tiernan

    I have to say, we're trained (*cough*) to look for non grayed out items to click on.

    My apologies for sounding harsh but it is counter intuitive to click on something like one of these controls. I don't mean to sound viciously critical, just trying to encourage a fix. :)




  • Avatar
    Jessie - Community Manager

    Thanks for sharing that feedback, Michael!

Please sign in to leave a comment.

Powered by Zendesk