Generating a new API token

Have more questions? Submit a request


  • Nathan McClintock

    The Token Access slider is set to 'enabled'. I cannot for the life of me find the 'Add new token' button/URL. I am an administrator. Help! 


  • Jacob J Christensen

    Understandable, it is a very discreet looking plus sign below the slider(s).

  • Gal Zohar


    Is the following statement correct: "An API token is connected to the user who created it. If that user is deleted, or demoted from an admin role, any external platform using this token will not have access anymore". 

    If this is correct, is there a way for an admin to create a token which is connected to another admin user (e.g. an integrations user who will never leave the company or get another role)?

  • Gail Leinweber

    Hi Gal,

    Yes, the token would still be valid if it was taken from a deleted user, so it should be possible to use it with another admin user.


  • Heather Cook

    Hi Team,

    Is there a way to link a token to a user in Zendesk?

    Currently if a token is shared to a user for them to use and they are a Light Agent, they can use this to call the API. If that user realises that instead of using their log in name, but instead uses the log in name of an Admin then they can use that token and the admin log in name to use the API. This seems incredibly insecure...

    Is this our set up that we need to change? Or Zendesk set up in general?

  • Dan Kondzela

    Thank you, Heather. 

    You are correct in that if a user is going to have access to a token attributed to a different user it would be insecure, as tokens are inherently private methods of authentication. It would be similar to sending passwords out, and we advise against sharing Tokens amongst agents for this reason.

    Light Agents still ought to be able to call basic endpoints with only their password as authentication, but if you need more scope you can utilize OAuth:


  • Michael Tiernan

    I have to say, we're trained (*cough*) to look for non grayed out items to click on.

    My apologies for sounding harsh but it is counter intuitive to click on something like one of these controls. I don't mean to sound viciously critical, just trying to encourage a fix. :)

  • Jessie Schutz

    Thanks for sharing that feedback, Michael!

  • Ernest Prabhakar

    > select Channels > API

    We don't see "API" under Channels, only social.  Do we need to do something special get (back) access? I seem to remember we had this a year ago...


  • Brett - Community Manager

    Hi Ernest,

    Can you confirm you're logged in as an Admin on the account? The API option should show up under the Widget option as shown in the screenshot below:


    I would also confirm whether or not other Admins on the account have access to this as well. If not, can you provide a screenshot of what you see on your end?


  • Andrei Sdasilva

    Hi guys,

    The tokens has an expirate date? 


  • Brett - Community Manager

    Hi Andrei,

    API tokens do not have an expiration date.

    They can manually be revoked or deleted by another admin on the account.


  • Tarun Patel

    Can agent's have their own API token, or do they need to be converted to an Admin in order to get a token?

  • Brett - Community Manager

    Hey Tarun,

    Only Admins on the account can request an API token :)

  • Sorin Vatasoiu


    I try to use the api's to get/create tickets and I have issues making calls through Postman. I'm an admin, I generated a token, encoded it, using the correct setup in GET call, but I get error: 

    "error": "Couldn't authenticate you"

    I try to use a GET call to and using "Authorization" header with a value of "Basic xxxxx" where xxxxx= encoded value for {email_address}/token:{api_token}.

    I tried the same call using curl, but I get the same error.

    Can you provide an working example for Postman, or do i miss anything else?

  • Joseph May

    Hi Sorin-

    Using Postman you can simply select the 'Basic Auth' type under authorization and fill in the corresponding fields - don't forget to append /token to your email if using an API token. You shouldn't need to encode it beforehand.

  • Sorin Vatasoiu

    thank you Joseph, it worked

  • Yair Galler

    Hi, is it possible to generate an API key that is restricted in its permissions (i.e. limit to read-only calls)?





Please sign in to leave a comment.

Powered by Zendesk