API tokens can be used to as part of 2-factor authentication for integrations. You can view, add, delete, and manage API tokens in the Zendesk Admin interface.
In order to generate an API token, you must be an administrator, and Token Access must be enabled.
To generate an API token
- Click the Admin icon (
) in the sidebar, then select Channels > API. - Click the Settings tab, and make sure Token Access is enabled.
- Click the + button to the right of Active API Tokens.
- Optionally, enter a description under API Token Description. The token is generated, and displayed for you:
- Copy the token, and paste it somewhere secure. Once you close this window, the full token will never be displayed again.
- Click Save to return to the API page. A truncated version of the token is displayed:
19 Comments
The Token Access slider is set to 'enabled'. I cannot for the life of me find the 'Add new token' button/URL. I am an administrator. Help!
Cheers
Understandable, it is a very discreet looking plus sign below the slider(s).
Hi,
Is the following statement correct: "An API token is connected to the user who created it. If that user is deleted, or demoted from an admin role, any external platform using this token will not have access anymore".
If this is correct, is there a way for an admin to create a token which is connected to another admin user (e.g. an integrations user who will never leave the company or get another role)?
Hi Gal,
Yes, the token would still be valid if it was taken from a deleted user, so it should be possible to use it with another admin user.
Hi Team,
Is there a way to link a token to a user in Zendesk?
Currently if a token is shared to a user for them to use and they are a Light Agent, they can use this to call the API. If that user realises that instead of using their log in name, but instead uses the log in name of an Admin then they can use that token and the admin log in name to use the API. This seems incredibly insecure...
Is this our set up that we need to change? Or Zendesk set up in general?
Thank you, Heather.
You are correct in that if a user is going to have access to a token attributed to a different user it would be insecure, as tokens are inherently private methods of authentication. It would be similar to sending passwords out, and we advise against sharing Tokens amongst agents for this reason.
Light Agents still ought to be able to call basic endpoints with only their password as authentication, but if you need more scope you can utilize OAuth: https://support.zendesk.com/hc/en-us/articles/203663836-Using-OAuth-authentication-with-your-application
Thanks!
I have to say, we're trained (*cough*) to look for non grayed out items to click on.
My apologies for sounding harsh but it is counter intuitive to click on something like one of these controls. I don't mean to sound viciously critical, just trying to encourage a fix. :)
Thanks for sharing that feedback, Michael!
> select Channels > API
We don't see "API" under Channels, only social. Do we need to do something special get (back) access? I seem to remember we had this a year ago...
https://nauto.zendesk.com/
Hi Ernest,
Can you confirm you're logged in as an Admin on the account? The API option should show up under the Widget option as shown in the screenshot below:
I would also confirm whether or not other Admins on the account have access to this as well. If not, can you provide a screenshot of what you see on your end?
Thanks!
Hi guys,
The tokens has an expirate date?
Thanks.
Hi Andrei,
API tokens do not have an expiration date.
They can manually be revoked or deleted by another admin on the account.
Cheers!
Can agent's have their own API token, or do they need to be converted to an Admin in order to get a token?
Hey Tarun,
Only Admins on the account can request an API token :)
Hi,
I try to use the api's to get/create tickets and I have issues making calls through Postman. I'm an admin, I generated a token, encoded it, using the correct setup in GET call, but I get error:
{
"error": "Couldn't authenticate you"
}
I try to use a GET call to https://nejm15xxxxxxxx.zendesk.com/api/v2/tickets.json and using "Authorization" header with a value of "Basic xxxxx" where xxxxx= encoded value for {email_address}/token:{api_token}.
I tried the same call using curl, but I get the same error.
Can you provide an working example for Postman, or do i miss anything else?
Hi Sorin-
Using Postman you can simply select the 'Basic Auth' type under authorization and fill in the corresponding fields - don't forget to append
/tokento your email if using an API token. You shouldn't need to encode it beforehand.thank you Joseph, it worked
Hi, is it possible to generate an API key that is restricted in its permissions (i.e. limit to read-only calls)?
Thanks,
Yair.
HI i'm trying to make an api call with the token but i'm getting
{
"error": "Couldn't authenticate you"
}
https://xxxxxxx.zendesk.com/api/v2/tickets.json?xxxxx.xxxxxx@xxxxxx.com/token:******************
what i'm i doing wrong ? thx
Please sign in to leave a comment.