Enabling JWT single sign-on

Return to top


  • Poirot Julien


    I'm trying to do the same thing that Raghav requested 2 posts above: once authenticated, redirect to Zendesk with the JWT payload and then back to the application.

    So I'm redirecting to abc.zendesk.com/access/jwt?jwt=token&return_to=https://my_app_url/

    It redirects to the return_to url but the Zendesk session is not opened. Is there another way?

  • Brenda Cardinez

    Hi Julien, 

    I'm sorry for any inconvenience. I've created a ticket for your question so we can look into your specifics with you. Thank you! 


    We are trying to setup JWT and everything is meeting Zendesk requirement.
    But got the error "JWT signature invalid. The signature cannot be verified ,check that your tokens match."
    We cannot do anything to this message now.Can someone help here?
    Thanks in advance!

  • Shayne Traqueña
    Zendesk Customer Care

    Hi Xiengcheng Jin,

    Thanks for reaching out, happy to help here! As for the error, possible cause is that the shared secret used to generate the hashed portion of the payload does not match the shared secret listed under Security > SSO > JSON Web Token.

    Since only the first several characters of the shared secret are displayed in the Zendesk UI, generally users who receive this error must generate a new shared secret and update the JWT script with the new secret.

    Additional cause/s:
    - The supplied JWT headers do not contain the "typ" or "alg" parameter. Most JWT implementations should supply these headers automatically.
    However, if your team rolls your own implementation (or uses an out-of-date version of our Classic ASP implementation) this error may appear. Most JWT implementations should supply these headers automatically. In this case, Base64 decoding the first section (headers) of the request's JWT parameter can confirm this as the cause of the issue. If either the "typ" or the "alg" parameter is missing, the error can appear:


    I hope this helps and points you in the correct direction.


    Shayne Traqueña

  • Justin

    When my nodejs backend redirects to the `https://<mydomain>.zendesk.com?jwt=xxxx` url, I can see that the redirect was blocked because of CORS policy. 

    Access to XMLHttpRequest at 'https://xxxx.zendesk.com/access/jwt?jwt=xxxx' 
    (redirected from 'https://api.mydomain.com/v1/auth/login')
    from origin 'https://dashboard.mydomain.com' has been blocked by CORS policy:
    Response to preflight request doesn't pass access control check:
    No 'Access-Control-Allow-Origin' header is present on the requested resource.

    Is there any setting in the Zendesk Admin panel, that I should change so that zendesk's CORS policy allows redirect from my domain?

  • Shayne Traqueña
    Zendesk Customer Care

    Hi there!

    Regarding the error you are receiving, please make sure to check out our article here:


    I hope this helps!



  • Charles Lloyd

    This for Simran. For some reason I got notified of your comment but can't see it here.

    Remove the exp from your payload. Zendesk doesn't like it. Here is a snip from my C# code:

    JwtSecurityToken token = handler.CreateJwtSecurityToken(descriptor);
    foreach (KeyValuePair<string, object> entry in payload)
    token.Payload[entry.Key] = entry.Value;

    //Zendesk not expecting nbf

    //Zendesk doesn't support exp

  • Simran Khosla

    Hey Charlie thanks so much for your response!
    I actually deleted my comment because I realized we just hadn't hit the button for Team Members to check the box to use JWT. =\ Foolish mistake on my end and all seems to be working fine now!

     But thank you for your note! I can absolutely remove expiration time to clean this up as well ! 

  • Simran Khosla

    One more question for you Charlie. 
    We'd like to pass both an organization and an organization_id as part of the JWT when we login / create users. There's a few things I'm confused about -- i

    1. It says if we pass an organization_id claim on the token "If both organization and organization_id are supplied, organization is ignored." -- we're looking to see how we would get both pieces of information in there. Essentially our data is structured with Org#22: Organization Name. So we'd like to pass both pieces of information over here so we can store the ID and the Organization name. How would you suggest we do this? Should we just add it to a custom user field instead and use Organization. 

    2. We also have a case where users can have multiple organizations so we know we can pass strings as the organizations attribute but, is it possible to also supply a set of IDs there?

    Thanks in advance for your assistance!

  • Charles Lloyd

    Hi Simran,

    It was a long time ago when I worked on it, I don't know if you can free form name - value pairs in the payload. 

    The way we do Zendesk is to create many "brands" that correspond to our products and beyond that we use Zendesk tags to create permission groups of who can see what within a brand. Tags are an array so you could encapsulate a lot of logic based on them if you desired.  


    // // create payload to log designated Epicor app user onto Zendesk wtih tags
    payload = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase) {
    { "iat", timestamp },
    { "jti", System.Guid.NewGuid().ToString() },
    {"tags", aryTags },
    { "name", userName },
    { "email", userEmail }

  • itay mendelawy

    hi @... or anyone from the content team... there's missing information in this article that is very critical for my implementation.

    1. the JWT attributes mention the ability for setting up multi-org membership with the "organizations" attribute. However, this attribute is not documented.

    2. when i'm using the "organization" attribute, will zendesk create the org if it is not created?

  • Fredrik Johansson

    We're using SSO with the JWT endpoint and the external_id field. An issue that we're having is that ZD throws an error when a user changes his/her email at our system and then tries to SSO to an existing account (with the external_id remains the same). An example:

    If our UserId 123 <user@email.com> visit ZD, we use SSO by passing something like this: { external_id: 123, email: "user@email.com", ... } to the endpoint https://nnn.zendesk.com/access/jwt?jwt=...&return_to=yyy. This works great, ZD creates the user.

    Now, if our user changes his/her e-mail to new@email.com in our system, then the next time we use SSO the following JWT is passed: { external_id: 123, email: "new@email.com", ... }. Which results in an error.

    I would like to see a setting in ZD where you may configure SSO to allow updating e-mailaddresses if external_id is provided, via the SSO feature. Thanks!

  • Ursu Alexandr

    I get this error, could you please help figure out what could be wrong? Apparently only existing users can SSO.

  • Christophe Tiraboschi
    Zendesk Customer Care

    Hi Ursu Alexandr,

    Normally, any user can log in through SSO if your Zendesk instance is open. By open, we mean that anyone can submit a ticket. You can check this setting in In Admin Center > People icon in the sidebar > Configuration > End users:

    You can find more details in this article:

    If the issue happens despite having this setting enabled, please let me know here and I'll create a ticket on your behalf to gather more details and work on a solution.

  • Christophe Tiraboschi
    Zendesk Customer Care
    Hi Frederik,
    You should indeed have an error if another user in Zendesk uses the email address new@new.com. Otherwise, it should update the user with this email address since one of the points of using external_id is when users email addresses are subject to change. Please double check and let me know here if you are still encountering an error.
  • Ursu Alexandr

    Thank you Christophe, actually what helped to get rid of that error (https://example.com/zendesk/logout?kind=error&message=Please%20use%20one%20of%20the%20options%20below%20to%20sign%20in%20to%20Zendesk. ) was: Enable external authentication

  • Mike-E

    Hey there... I am interested in using ZenDesk for my .NET6 application and would greatly appreciate any guidance you can provide.  I see the reference posted... from 10 years ago. 😁  It would be valuable to have something that is a little more current.

    Thank you for any assistance/consideration you can provide. 🙏

  • Kumail Raza

    How to increase the jwt token time from 3minutes to some X-time? 

  • Rohan Negi

    Hi there,

    As per docs, In JWT single sign-on , email and external_id parameters  are automatically added to the remote logout url.
    But for my application, invalid email id is passed to the Remote Logout url.
    email=invalid%40example.com and external_id is also not passed.
    Could anyone please looked into above issue?

  • Eddie Sawyers

    Forgive me if I'm asking a silly question that's already been answered and I missed . . . but we are looking at end-users authenticating two different ways.  Is that possible?  One large group of end-users AND agents that log in with SAML SSO, and a smaller group of external end-users that would log in using JWT single-sign on.  Is this a possibility?  

  • Jason Schaeffer
    Zendesk Customer Care
    Hi Eddie, 

    At this time it is not possible to authenticate End Users using more than one method. However it is possible with agents as you can use SSO, Social, or Basic Authentication. You can also use Split Authentication that differs for Agent and End Users. I have linked that below for you. 


  • Eddie Sawyers

    Just in case I'm not phrasing it correctly, taking the Agents out of the equation - are you saying that end-users can't have both forms of SSO?  One group of end-users that authenticates using SAML, and other end-users that use JWT?  

    In other words, I have one large group of end-users that currently authenticates using SAML.  I want to have a second group of end-users that would use JWT instead.  

  • Jason Schaeffer
    Zendesk Customer Care
    Hi Eddie, 

    Right, it currently is only possible to split authentication methods between agents and end users, and not possible to have both SAML and JWT offered only to end users. I have an inquiry into one of our SSO specialists to verify and see if any workarounds to that are known, and if there is I will follow up with you and let you know what is possible. 

  • Jimmy McDermott

    Hi! This is helpful, thanks. If the user's external_id is already in the Zendesk system as an end-user, two questions:

    1. Will it recreate the user? (I am guessing not) 

    2. Will this enable the user to receive articles that are scoped to the user's tags and therefore user segments? 

    We are planning on already having the user created in the Zendesk system long before they attempt to use the JWT SSO. 


  • Justin H
    Zendesk Customer Care

    Hey Jimmy! 

    Sorry for the delayed response. To answer your questions, if the user's external_id is already in the Zendesk system,

    1. it will not recreate the user

    2. everything on the user's profile associated with that external_id and email address will be applicable in the Zendesk system, including their tags, so this should work as you anticipate it to.  

    Just make sure that the external_ids are paired with the email addresses these end users have. You can't have duplicates of email or external_id, so make sure to triple check that before implementing your SSO solution. 

  • Gary Thickett

    Is is possible to go directly to the https://yoursubdomain.zendesk.com/access/jwt link from our SAAS as our user's will already been signed in, save them having to sign in again to access the knowledge base we have in Zendesk

  • Eric Nelson
    Zendesk Developer Advocacy
    Hey Gary,

    Unfortunately not as the JWT handshake wouldn't have been completed so the payload wouldn't be included in the request. 

    Sorry for the inconvenience
  • Gary Thickett

    Eric Nelson Sorry what I meant was during the redirect from our app to https://yoursubdomain.zendesk.com/access/jwt generate a JWT and include that in the payload. The issue we have is that each our clients has a unique url for sign-in so redirecting them to a generic login (https://mycompany.com/zendesk/sso) won't work 

  • Diego Hernandez

    Hi, our SSO setup is currently not working, the login attempt does not redirect to our zendesk instance , instead the return url is as follows:


    JWT has been configured in the Admin center with the correct remote login URL . Any hints as to what this error above could indicate? Our hosting team does not identify that error as coming from them. 


  • Hi Zendesk community,

    There's no info about how to create a light agent.

    Is it possible to get the info please?

    Thank you,


Please sign in to leave a comment.

Powered by Zendesk