How can I authenticate API requests?

Question

How can I authenticate API requests using one of Zendesk v2 APIs?

Answer

You must be a verified user to make authenticated API requests. To authenticate API requests, use basic authentication with your email address and password, your email address and an API token, or an OAuth access token.

All methods of authentication set the authorization header differently. Credentials sent in the payload or URL are not processed. Each option is listed below:

Password authentication
API token authentication
OAuth access token authentication
Viewing your authorization header

Password authentication

Note: Password authentication for our APIs is being deprecated. The timing may differ depending on traffic patterns and when your account was created, see this page: Announcing the deprecation of password access for APIs.

If you use basic authentication, combine your email address and password to generate the authorization header. To use basic authentication, enable Password access in Admin Center under Apps and integrations > APIs > Zendesk API, as well as within the relevant authentication section, either team member or end user.

Format the email address and password combination to be an Base-64 encoded string. For an example of how to format the authorization header, see the code block below.

Authorization: Basic {base-64-encoded email_address:password}

API token authentication

If you use an API token, combine your email address and API token to generate the authorization header. Format the email address and API token combination to be an Base-64 encoded string. For an example of how to format the authorization header, see the code block below.

Authorization: Basic {base-64-encoded email_address/token:api_token}

OAuth access token authentication

If you use OAuth to authenticate, format the authorization header this way:

Authorization: Bearer oauth_access_token

For more information, see this article: Using OAuth authentication with your application.

Viewing your authorization header

To see exactly what your app sends, use a third-party page such as Request Bin. Compare your headers to those being generated by a webhook using an OAuth authentication. Point the webhook to your requestb.in URL and, on the Add webhook page, click Test webhook to see this in action.

Once the request hits your requestb.in, it appears like this:

requestbin

The string after Authorization: Bearer is the API key provided by RequestBin in your account settings under Programmatic Access.

If you use Python to make requests, set your session headers as follows:

session = requests.Session()
session.headers = {'Content-Type': 'application/json', 'Authorization': 'Basic Basic_64_encoded_code'}

Note: Monitor your use of the API with the API Usage dashboard and verify any possible rate limits.

For more information, see the developer documentation: Security and authentication.