English (US)
  1. Zendesk help
  2. Support
  3. Advice and troubleshooting
  4. API

How can I authenticate API requests?

Dwight Bussman
  • Edited
Zendesk Customer Care

Question

How can I authenticate API requests using one of Zendesk v2 APIs?

Answer 

You must be a verified user to make API requests. Authenticate API requests using basic authentication with your email address and password, with your email address and an API token, or with an OAuth access token.

All methods of authentication set the authorization header differently. Credentials sent in the payload or URL are not processed.

This article includes information on the following topics:

Password

If you use basic authentication, combine your email address and password to generate the authorization header. The email address and password combination need to be a Base-64 encoded string. Format the authorization header as below.

Authorization: Basic {base-64-encoded email_address:password}

API token 

If you use an API token, combine your email address and API token to generate the authorization header. The email address and API token combination need to be a Base-64 encoded string. Format the authorization header as below.

Authorization: Basic {base-64-encoded email_address/token:api_token}

OAuth access token

If you use OAuth to authenticate, format the authorization header as below.

Authorization: Bearer oauth_access_token

For more information, see this article: Using OAuth authentication with your application.

Viewing your authorization header

If you want to see exactly what is sent by your app, use a third-party page like Request Bin. Compare your headers to those being generated by a webhook using an OAuth authentication. Point the webhook to your requestb.in URL and, on the Add webhook page, click Test webhook to see this in action:

add webhook page

Once that hits your requestb.in, it shows up like this:

requestbin 

The string after Authorization: Bearer is the API key provided by RequestBin in your account settings under Programmatic Access.

  

If you use python to make requests, set your session headers as follows.

session = requests.Session()
session.headers = {'Content-Type': 'application/json', 'Authorization': 'Basic Basic_64_encoded_code'}

For more information, see the developer documentation: Security and authentication.

Return to top

8 Comments

  • Bonaliza Garcia

    Hi, I'm working on a custom request form for our end-users (but still within our Zendesk subdomain). When I try to submit the form and send the data to create the request, it returns with a 403 error. The same code works on postman and the request is being created.

    I'm having a hard time figuring out why im getting a 403. I tried both email/token:api_key authentication and basic email:password authentication.

    https://support.zendesk.com/hc/en-us/community/posts/1260800839050-403-error-when-creating-request-via-API 

    0
  • Tomer Ben-Arye

    @...

    I think my code 5 post above will help you.

    https://support.zendesk.com/hc/en-us/articles/115000510267/comments/360005066074

     

    0
  • Bonaliza Garcia

    @Tomer did you mean the base64 encoded? I did that, my email/token:api_token is encoded. I tried manually encoding it using one of the websites and also dis btoa('email/token:api_token'); but both gave me a 403 error.

    0
  • Bheem Aitha

    Hi @...

    I am getting the same authentication error. Can you please help me on this? I also created a ticket on this.

    C:\Users\yyy> curl https://<subdomain>.zendesk.com/api/v2/users.json -u yyy@<company>.com/token:xxxxxxx

    {"error":"Couldn't authenticate you"}

    Thanks

    -Bheem

    1
  • Waseem Khan
    • Edited

    Hi Team,

    Precindition: Token is created in zendesk

    I as an admin share my email address and token with other team member. Can they acess the API's? or is it like i need to login to zendesk from the same system/pc from where the user is trying to access the API's?

     

    Or they can just pass my email address and token simply without i being logged in to zendesk?

    Regards,

    Waseem

    0
  • Dwight Bussman
    Zendesk Customer Care

    Waseem Khan

    Simply having your email & API token is sufficient for any user to make API requests on behalf of your user. This gives them the ability to do anything your user would be able to do via the API. This includes deleting things like tickets/users/organizations/articles/sections/categories/triggers which can be very destructive. For this reason, I would encourage you to be very selective about who has access to these tokens. 

    0
  • Nick Bolton

    Please make it clearer on this page that you have to Base-64 encode the token. Here's the command that I used on Mac to Base-64 encode my token.

    echo -n 'foo@bar.com/token:abc123' | base64

    1
  • Dwight Bussman
    Zendesk Customer Care

    HeyO Nick,

    Thanks for the feedback. I will make updates to this article to make that clearer.

    1

Please sign in to leave a comment.

Related articles

Powered by Zendesk