Enabling JWT (JSON Web Token) single sign-on

Return to top


  • Julien - Maroc Cloud


    I'm trying to do the same thing that Raghav requested 2 posts above: once authenticated, redirect to Zendesk with the JWT payload and then back to the application.

    So I'm redirecting to abc.zendesk.com/access/jwt?jwt=token&return_to=https://my_app_url/

    It redirects to the return_to url but the Zendesk session is not opened. Is there another way?

  • Brenda Cardinez

    Hi Julien, 

    I'm sorry for any inconvenience. I've created a ticket for your question so we can look into your specifics with you. Thank you! 


    We are trying to setup JWT and everything is meeting Zendesk requirement.
    But got the error "JWT signature invalid. The signature cannot be verified ,check that your tokens match."
    We cannot do anything to this message now.Can someone help here?
    Thanks in advance!

  • Shayne Traqueña
    Zendesk Customer Care

    Hi Xiengcheng Jin,

    Thanks for reaching out, happy to help here! As for the error, possible cause is that the shared secret used to generate the hashed portion of the payload does not match the shared secret listed under Security > SSO > JSON Web Token.

    Since only the first several characters of the shared secret are displayed in the Zendesk UI, generally users who receive this error must generate a new shared secret and update the JWT script with the new secret.

    Additional cause/s:
    - The supplied JWT headers do not contain the "typ" or "alg" parameter. Most JWT implementations should supply these headers automatically.
    However, if your team rolls your own implementation (or uses an out-of-date version of our Classic ASP implementation) this error may appear. Most JWT implementations should supply these headers automatically. In this case, Base64 decoding the first section (headers) of the request's JWT parameter can confirm this as the cause of the issue. If either the "typ" or the "alg" parameter is missing, the error can appear:


    I hope this helps and points you in the correct direction.


    Shayne Traqueña

  • Solvvy Demo

    When my nodejs backend redirects to the `https://<mydomain>.zendesk.com?jwt=xxxx` url, I can see that the redirect was blocked because of CORS policy. 

    Access to XMLHttpRequest at 'https://xxxx.zendesk.com/access/jwt?jwt=xxxx' 
    (redirected from 'https://api.mydomain.com/v1/auth/login')
    from origin 'https://dashboard.mydomain.com' has been blocked by CORS policy:
    Response to preflight request doesn't pass access control check:
    No 'Access-Control-Allow-Origin' header is present on the requested resource.

    Is there any setting in the Zendesk Admin panel, that I should change so that zendesk's CORS policy allows redirect from my domain?

  • Shayne Traqueña
    Zendesk Customer Care

    Hi there!

    Regarding the error you are receiving, please make sure to check out our article here:


    I hope this helps!



  • Charles Lloyd

    This for Simran. For some reason I got notified of your comment but can't see it here.

    Remove the exp from your payload. Zendesk doesn't like it. Here is a snip from my C# code:

    JwtSecurityToken token = handler.CreateJwtSecurityToken(descriptor);
    foreach (KeyValuePair<string, object> entry in payload)
    token.Payload[entry.Key] = entry.Value;

    //Zendesk not expecting nbf

    //Zendesk doesn't support exp

  • Simran Khosla

    Hey Charlie thanks so much for your response!
    I actually deleted my comment because I realized we just hadn't hit the button for Team Members to check the box to use JWT. =\ Foolish mistake on my end and all seems to be working fine now!

     But thank you for your note! I can absolutely remove expiration time to clean this up as well ! 

  • Simran Khosla

    One more question for you Charlie. 
    We'd like to pass both an organization and an organization_id as part of the JWT when we login / create users. There's a few things I'm confused about -- i

    1. It says if we pass an organization_id claim on the token "If both organization and organization_id are supplied, organization is ignored." -- we're looking to see how we would get both pieces of information in there. Essentially our data is structured with Org#22: Organization Name. So we'd like to pass both pieces of information over here so we can store the ID and the Organization name. How would you suggest we do this? Should we just add it to a custom user field instead and use Organization. 

    2. We also have a case where users can have multiple organizations so we know we can pass strings as the organizations attribute but, is it possible to also supply a set of IDs there?

    Thanks in advance for your assistance!

  • Charles Lloyd

    Hi Simran,

    It was a long time ago when I worked on it, I don't know if you can free form name - value pairs in the payload. 

    The way we do Zendesk is to create many "brands" that correspond to our products and beyond that we use Zendesk tags to create permission groups of who can see what within a brand. Tags are an array so you could encapsulate a lot of logic based on them if you desired.  


    // // create payload to log designated Epicor app user onto Zendesk wtih tags
    payload = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase) {
    { "iat", timestamp },
    { "jti", System.Guid.NewGuid().ToString() },
    {"tags", aryTags },
    { "name", userName },
    { "email", userEmail }

  • itay mendelawy

    hi @... or anyone from the content team... there's missing information in this article that is very critical for my implementation.

    1. the JWT attributes mention the ability for setting up multi-org membership with the "organizations" attribute. However, this attribute is not documented.

    2. when i'm using the "organization" attribute, will zendesk create the org if it is not created?

  • Fredrik Johansson

    We're using SSO with the JWT endpoint and the external_id field. An issue that we're having is that ZD throws an error when a user changes his/her email at our system and then tries to SSO to an existing account (with the external_id remains the same). An example:

    If our UserId 123 <user@email.com> visit ZD, we use SSO by passing something like this: { external_id: 123, email: "user@email.com", ... } to the endpoint https://nnn.zendesk.com/access/jwt?jwt=...&return_to=yyy. This works great, ZD creates the user.

    Now, if our user changes his/her e-mail to new@email.com in our system, then the next time we use SSO the following JWT is passed: { external_id: 123, email: "new@email.com", ... }. Which results in an error.

    I would like to see a setting in ZD where you may configure SSO to allow updating e-mailaddresses if external_id is provided, via the SSO feature. Thanks!

  • Ursu Alexandr

    I get this error, could you please help figure out what could be wrong? Apparently only existing users can SSO.

  • Christophe Tiraboschi

    Hi Ursu Alexandr,

    Normally, any user can log in through SSO if your Zendesk instance is open. By open, we mean that anyone can submit a ticket. You can check this setting in In Admin Center > People icon in the sidebar > Configuration > End users:

    You can find more details in this article:

    If the issue happens despite having this setting enabled, please let me know here and I'll create a ticket on your behalf to gather more details and work on a solution.

  • Christophe Tiraboschi
    Hi Frederik,
    You should indeed have an error if another user in Zendesk uses the email address new@new.com. Otherwise, it should update the user with this email address since one of the points of using external_id is when users email addresses are subject to change. Please double check and let me know here if you are still encountering an error.
  • Ursu Alexandr

    Thank you Christophe, actually what helped to get rid of that error (https://example.com/zendesk/logout?kind=error&message=Please%20use%20one%20of%20the%20options%20below%20to%20sign%20in%20to%20Zendesk. ) was: Enable external authentication


Please sign in to leave a comment.

Powered by Zendesk