Using OAuth authentication with your application

Return to top


  • Paul Strauss

    We recently created an integration with Zendesk which allows our agents who are logged into the Zendesk support to have access to an internal tool. Every time agents attempt to access our tool, we're presented with a message to "Allow Access to Your Zendesk Account?" This didn't happen during our testing in our Zendesk sandbox account, but it happens in production. Any thoughts on how to make this a one-time "Allow" rather than requiring it every time they log in?

  • Greg Katechis
    Zendesk Developer Advocacy

    Hi Paul! Could you share a bit more information about this integration and how the auth flow is implemented? Please provide as much detail as you can share in a public forum!

  • Greg Katechis
    Zendesk Developer Advocacy

    Hi Raghav, I responded here!

  • Nick Hemenway

    Hello, I'm trying to implement the Password grant type OAuth flow, and I'm having trouble understanding how I'm supposed to obtain the user's username and password in order to request the OAuth token for the first time. This section seems to imply that there is an endpoint to retrieve the username and password I need, but I haven't been able to find this endpoint. Any advice? Thanks

  • Vitaliy Markitanov


    Do you support OIDC brokering?
    Idea is that I have IDP and my web users should authenticate with my IDP via SSO.


  • Jason Schaeffer
    Zendesk Customer Care

    Hello Vitaliy,

    Zendesk does not currently support OpenID Connect, and according to our product team, this is not currently something on our Road Map.  Apologies for the inconvenience. 

  • Paul Moran

    The "authenticity_token" mentioned in the comment above doesn't work for me. The format of the csrf_token (which I was able to access using the v1 template api) and this authenticity_token are different. 

  • Bernardo Reis

    Hi there. I've implemented the OAuth authentication flow as suggested and have requested the following scopes:

    'users:write tickets:write organizations:write identities:write read'

    Everything works as expected, except when I try to use Zendesk's API to delete user identities. I get the following error:

    {"error":"Forbidden","description":"You are missing the following required scopes: write"}

    Shouldn't the 'users:write' scope let me manage user identities? Or do I need an additional scope? Looks like that 'identities:write' is not a valid option

  • Ariane Frances dela Cruz

    Hello Bernardo, 

    I'd like to look further into this, I'll be creating a ticket for you, kindly expect an email shortly. 

  • Greg Katechis
    Zendesk Developer Advocacy

    Hi Tiel! Is this in relation to a Zendesk feature or is this just a general question about Oauth?

  • Nishant Gupta

    I have been trying to implement OAuth in Rest API.
    Please note that I don't have web app(in which I can use redirect URL)
    Only Backend - REST api

    With all the oauth Authentication types, it is confusing to follow which one is the best to do.?
    Which curl commands helps me authenticating with Zendesk successfully using oauth

    Is the password grant type best suited for this type with below curl command? or what alternatives we have ?

    curl https://{subdomain} \
      -H "Content-Type: application/json" \
      -d '{"grant_type": "password", "client_id": "{your_client_id}", 
        "client_secret": "{your_client_secret}", "scope": "read",
        "username": "{zendesk_username}", "password": "{zendesk_password}"}' \
      -X POST
  • Viktor Hristovski

    Hi, im generating an OAuth token in Zendesk for our developers, but we are getting :unauthorised" even in the simple curl  command for example:

    curl \ -H "Authorization: Bearer gErypPlm4dOVgGRvA1ZzMH5MQ3nLo8bo"

    we are getting : {"error":"invalid_token","error_description":"The access token provided is expired, revoked, malformed or invalid for other reasons."}

    What are we doing wrong?

  • Chinh Phan


    How can I get the full access token within just one API? I'm using javascript to call, and implement a ticket form from my website.


  • Cheeny Aban
    Zendesk Customer Care

    Hi Chinh Phan

    What do you mean by full access API token? Can you tell us more about your use case so we can check it for you?


  • Chinh Phan

    Hi Cheeny Aban,

    I'm implement the contact form from Frontend via Javascript, submit Ticket to Zendesk. Look like this: 

    When I try to POST a ticket to zendesk, I'm facing the CORs issue (I used all tokens, aouth in zendesk setting).

    Ticket's API requires the authorization is "Bearer " + access_token.

    I thought the API get access_token work when I tested via Postman: https://{subdomain}
    But no, when I apply API get access token to javascript code. I'm also facing the CORs issue.

    If I implement as in the document at:

    when browser redirect to the url: https://{subdomain}{your_redirect_url}&client_id={your_unique_identifier}&scope=read%20write

    It forces I have to login into zendesk. It is not feasible for users who do not have an account.

  • Óskar Ómarsson

    Not sure if this is the correct place to ask this but I'm trying to create a workaround for limitations in Zendesk Automation, I need to be able to add private comments to a ticket when an automation does change the ticket, just to inform any agent that would open up the ticket after the automation is executed.

    Now I've achieved this using Webhooks to call Zendesk API

    But only by using my own username, this will result in a certain username being placed with the comment, making it look like I made that internal comment.

    My desire is to make it look like the system, which indeed is doing this, made the internal comment.

    It appears that I can't use the Zendesk API Token unless I use my own username, please correct me if I'm wrong

    And I can't get the OAuth Client tokens to work as a bearer token authentication.

    What am I missing?

    Best regards



  • Taylor Clark

    Is there an existing query parameter I can use to force login on the authorization step? Currently if a user is already logged in it goes directly to the Authorization screen. I'd like to force users to login every time they go through the flow.
    The use case is that our integration requires an administrator and we can't figure this out until after we retrieve the token and then retrieve the authenticated user by ID

  • Taylor Clark

    Actually figured it out just now using the UI - `&login=true`


Please sign in to leave a comment.

Powered by Zendesk