To use the Chat API in Support+Chat accounts and Phase 4 Chat accounts, you need to generate an OAuth access token to authenticate API requests. Basic authentication is not supported. However, generating a token for the first time can be a bit confusing so this tutorial provides step-by-step examples of how to generate a token manually. After you're done, you should have a token that you can use in Chat API requests to read and write data.
If you're building an application, then you should build the token-generating functionality into your app to automate the process.
There are two ways to create an access token for the Chat API -- a quicker, more convenient way for testing environments (using "Implicit" grant flow), and a longer, more formal way for production environments (using "Authorization Code" grant flow). This tutorial covers both.
This tutorial is intended for integrated Chat accounts which have had all of the changes referenced in the above article applied. This is currently being rolled out gradually, so some accounts may require it before others. If you're not sure whether your account has received all of the changes, feel free to reach out to our Support team who can confirm for you.
Note: One side effect of the account changes is that OAuth tokens will need to be recreated. If you complete this tutorial before the changes have reached your account, you'll need to run through the steps again afterwards.
The OAuth "Implicit" grant flow has the following steps:
- Create the OAuth API client
- Complete the OAuth implicit grant flow to get the token using information from step 1
Create the OAuth API client
First of all, we need an API client. Go to Zendesk Chat > Account > API & SDKs and click the Add API Client button. Enter a name for the client and company of your choosing, and for the Redirect URL enter http://localhost:8080
. It should look something like this:
Click on Create API Client to finish the setup. You will be shown a popup with the Client ID and secret. Very important: The client secret is shown only once, so make a note of it for later use. It will look like this:
Now that our API client is ready to go, make note of your Client ID and Client Secret before clicking Okay, got it. We're now ready to complete the OAuth grant flow.
Complete the OAuth implicit grant flow to get the token
This approach uses the OAuth "Implicit" grant flow. An alternate approach is to use the OAuth "Authorization Code" grant flow (shown in the next section). If doing manually, this approach has fewer steps and is more convenient than the authorization code grant flow showed later.
1. Follow the "Creating the OAuth API client" step above
2. Collect this information from the OAuth client
- Client ID: CLIENT_ID
- Your Zendesk subdomain
3. Format the below URL with your own CLIENT_ID and SUBDOMAIN, paste it into a new browser tab, and press Enter.
- If the Chat OAuth client only has one Redirect URL value then passing a redirect_uri value is optional. The system will use the OAuth client's one Redirect URL value by default.
- If the OAuth client has more than one Redirect URL value then passing a redirect_uri value is required. If a redirect_uri value is passed then it needs to be URL encoded. In the above example, the optional redirect parameter would be: redirect_uri=http%3A%2F%2Flocalhost%3A8080
4. The call will be made, possibly asking you to log in and select 'Allow' to generate the token.
If the call succeeds, your browser's address field will contain your new OAuth token (returned as the access_token value).
Despite the seeming error message displayed in the browser's main window, if 'access_token' is returned in the browser's URL field then it worked!
Here's a demo of the workflow:
A longer, alternate way of generating the token
These steps create a token just like the previous section but demonstrates the OAuth "Authorization Code" grant flow. Make a note of your OAuth client details, which will be used below.
Placeholders will be used instead of real data - remember that your OAuth client's secret should be treated with the utmost security as it is essentially a password into your Chat account.
- Client ID:
- Client secret:
- Redirect URI:
- Subdomain: your Zendesk subdomain; e.g. if your account is at
, this value isniall
- Authorization code: we don't have this yet
1. Prepare the first URL
Here we will create a URL to request an authorization code. You will need to go to https://{subdomain}
, and add some query parameters to pass some of the above information. This time we need:
: this will always becode
: where we will be redirected after granting access,http://localhost:8080
for our tutorial -
: specific to you, as written down earlier -
: what access this token will have, we will chooseread
- Also include 'chat' scope if using the token against the Chat Conversations API.
- Also include 'chat' scope if using the token against the Chat Conversations API.
: your Zendesk subdomain
Putting this altogether and URL encoding it will give you a final URL which looks like this:
being the only differences for your own URL.
2. Prepare the cURL call
Before actually visiting that URL, let's build the cURL call that we will run after. This time we will need the following:
: this will always beauthorization_code
: this will be gotten after we permit access from the URL -
: your client ID -
: your client secret -
: same as the last step - http://localhost:8080 -
: same as the last step -read
When we put this all together we get a command which should look something like:
curl https://{subdomain} \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=authorization_code&code=AUTH_CODE&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&redirect_uri=http%3A%2F%2Flocalhost%3A8080&scope=read%20write' \ -X POST
Remember: you should already have CLIENT_ID
now, but we don't have AUTH_CODE
just yet.
3. Get your authorization code
Now go the URL we generated in step 1. You will see a page like this:
Click Allow to grant access, and you will be redirected to the redirect URL. It will look like a broken page, but the important thing is to look in the URL to see what the authorization code is, i.e. everything after ?code=
Copy that code, and let's get ready for the final step! The authorization code is only valid for a short time. If you wait more than a few minutes, you may have to re-run the above step to get a new code value.
4. Make the cURL call to get your token
Referring back to our cURL call we had constructed in step 2, which looks like this
curl https://{subdomain} \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=authorization_code&code=AUTH_CODE&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&redirect_uri=http%3A%2F%2Flocalhost%3A8080&scope=read%20write' \ -X POST
replace AUTH_CODE
with the code from step 3, and run the command from a terminal application. You will receive a response in the form of a JSON object like this:
{ "access_token": "TOKEN", "token_type": "Bearer", "refresh_token": "REFRESH_TOKEN", "scope": "read write" }
5. Test out the new token
It's always a good idea to test things out to confirm it worked as you expected, so we can do that now. The easiest call to make is just a simple GET
to /api/v2/chats
to see your account's information:
curl https://{subdomain} -H "Authorization: Bearer TOKEN"
replacing TOKEN
with that retrieved in step 4.
Additional information
Confidential client_type
The above sections demonstrated the "Implicit" grant type and "Authorization Code" grant type. The Chat API also supports the confidential grant type using client credentials. This is described more in the reference documentation under Confidential grant types.
For API calls used by admins and agents for such things as reporting metrics, getting an OAuth token with the confidential grant type may be preferable. You will need to set the client_type
as "confidential". By default this value is set to "public". This can only be done via the API, and can be achieved as follows:
1. Get the client ID
First we'll need the ID of your new client. You can get this using your new token, with the following call:
curl https://{subdomain} -H "Authorization: Bearer TOKEN"
which will show you all of your clients. You may only have one, but if you do have many you should pick the one you wish to update, and note its ID.
2. Update the client_type
Now that you have the ID of the client, you can run the following cURL call to update the client_type
curl https://{subdomain}{client_ID} -d '{"client_type": "confidential"}' \
-X PUT -H "Content-Type: application/json" -H "Authorization: Bearer TOKEN"
Once that is complete, your token can be used for restricted endpoints.
hi, i followed the steps in the article and got an access token with no errors :D
but I seems cannot use this token to access the Conversation APi, i got invalid scope error,
I added a screen shot here for the error of scope
also this is how i get the access token
when i did this cURL call, I tried with scope = chat / scope= read write, i could get token no problem, but I always end up with same invalid scope error when I try to access the conversation API,
Any suggestion is appreciated
thank you!
Hi Lev,
Thank you for your post, hope you are doing well today!
According to the requests / calls you want to make through the conversation API you will need more than the Chat scope and have to set the scope of the token to
, andchat.
Please refer to the section Authentication in Chat Conversations API for a better understanding.
For instance, retrieve the Token with :
I would also encourage you to have a look at the following documentation : Getting started with the Chat Conversations API, that should point you in the right direction.
Hope this helps!
Have a great rest of your day.
Best regards,
Matt Schembri
I've got an access token generated through "Implicit grant flow" detailed at
How can my Zendesk support app use this token?
Is there a clear cut way to get chat data into a zendesk support app?
John Espina
Hi Matt,
In regards to your concern, you can use OAuth 2 to authenticate all your application's API requests to Zendesk. OAuth provides a secure way for your application to access Zendesk data without having to store and use the passwords of Zendesk users, which is sensitive information.
Please check this article:
John Espina | Customer Advocate
Hi! I've managed to get the access token, using the scopes: read write chat, but I can't start agent session. I get "UNAUTHORIZED" error every time:
{\"errors\":[{\"UUID\":\"ccd32285-5895-45c4-bec5-6bd27b15f4a2\",\"message\":\"<html>\\r\\n<head><title>500 Internal Server Error</title></head>\\r\\n<body>\\r\\n<center><h1>500 Internal Server Error</h1></center>\\r\\n<hr><center>nginx</center>\\r\\n</body>\\r\\n</html>\\r\\n\",\"name\":\"UNAUTHORIZED\"}],\"data\":null}",
Can you help me, what am I missing?
Chien Dong
I have the same error

My access_token used the "read", "write" and "chat" scopes

Bom Proapp
I also get the same error.
Cheeny Aban
If you were able to confirm that all the steps have been properly followed and you keep on receiving an error. I would suggest that you initiate a conversation with us and provide the actual replication steps
Nicholas Walsh
Why is the query string returned to my callback URL with a hash (#) instead of a question mark? Everything after # in the URL will be ignored by the server, so redirecting to a backend script means the query string cannot be parsed.
Scotty Loewen
It's worth noting that the request will 400 if you use your full subdomain (, in this instance it's looking just for the "company" part of that. If this article could be edited to make that clearer in the beginning (first reference of subdomain) that would have saved me twenty minutes of troubleshooting today :)
Jinen Abdelhak
Hello whats the expiration period of the bearer token, please
Mateusz Gamroth
Niall Colfer You're the best! I tried to follow the documentation and it is chaotic and a huge mess.
Thanks to your approach I was able to get the token, was trying this for daaaayz!
Unfortunately could only find this in the Forum, maybe it could be linked to in this documentation?
Would be a huge help for everyone. Good job on putting this together ♥
Bitkan Support
Hi, When i create
token use the example:0
Luis Pucutay
Could you please mention how to generate the API GRAPHQL token: