Using OAuth authentication with your application

First, your application has to send the user to the Zendesk authorization page. The page asks the user to authorize your application to access Zendesk on their behalf. After the user makes a choice, Zendesk sends the choice and a few other bits of information back to your application.

To send the user to the Zendesk authorization page

Add a link or button in your application that sends the user to the following URL:

https://{subdomain}.zendesk.com/oauth/authorizations/new

where {subdomain} is your Zendesk core subdomain, not a host-mapped subdomain.

You can use either a POST or a GET request. Include the following parameters:

• response_type - Required. Zendesk returns an authorization code in the response, so specify code as the response type. Example: response_type=code.
• redirect_uri - Required. The URL that Zendesk should use to send the user's decision to grant access to your application. The URL has to be absolute and not relative. It also has to be secure (https) unless you're using localhost or 127.0.0.1.
• client_id - Required. The unique identifier you obtained when you registered your application with Zendesk. See the section above.
• scope - Required. A space-separated list of scopes that control access to the Zendesk resources. You can request read, write, or impersonate access to all resources or to specific resources. See Setting the scope.
• state - An arbitrary string included in the response from Zendesk after the user decides whether or not to grant access. You can use the parameter to guard against cross-site request forgery (CSRF) attacks. In a CSRF attack, the end user is tricked into clicking a link that performs an action in a web application where the end user is still authenticated. To guard against this kind of attack, add some value to the state parameter and validate it when it comes back.
• code_challenge - Required if using PKCE. A string representing a code challenge derived from a code verifier. See Generating the code_challenge value in the developer documentation.
• code_challenge_method - Required if using PKCE. The method used to derive the code challenge. Specify "S256" as the value.

Make sure to URL-encode the parameters.

Example GET request

https://{subdomain}.zendesk.com/oauth/authorizations/new?response_type=code&redirect_uri={your_redirect_url}&client_id={your_unique_identifier}&scope=read%20write

The Zendesk authorization page opens in the end user's browser. After the user makes a decision, Zendesk sends the decision to the redirect URL you specified in the request.

Your application has to handle the response from Zendesk telling it what the user decided. The information is contained in URL parameters in the redirect URL.

If the user decided to grant access to the application, the redirect URL contains an authorization code. Example:

{redirect_url}?code=7xqwtlf3rrdj8uyeb1yf

The authorization code is only valid for 120 seconds.

If the user decided not to grant access to the application, the redirect URL contains error and error_description parameters that inform the app that the user denied access:

{redirect_url}?error=access_denied&error_description=The+end-user+or+authorization+server+denied+the+request

Use these values to control the flow of your application. If the URL contains a code parameter, get an access token from Zendesk as described in the following section. This is the token to include in API calls to Zendesk.

If your application received an authorization code from Zendesk in response to the user granting access, your application can exchange it for an access token. To get the access token, make a POST request to the following endpoint:

https://{subdomain}.zendesk.com/oauth/tokens

Include the following required parameters in the request:

• grant_type - Specify "authorization_code" as the value.
• code - Use the authorization code you received from Zendesk after the user granted access.
• client_id - Use the unique identifier specified in an OAuth client in the Support admin interface (Admin > Channels > API > OAuth Clients). See Registering your application with Zendesk.
• client_secret - Use the secret specified in an OAuth client in the Support admin interface (Admin > Channels > API > OAuth Clients). See Registering your application with Zendesk.

  If you use the PKCE code_challenge and code_verifier parameters, client_secret is not required. You can use this characteristic to migrate from the implicit grant flow, which is no longer recommended because of security concerns. See Using PKCE to migrate from the implicit grant flow in the developer documentation.

• redirect_uri - The same redirect URL as in step 1. For ID purposes only.
• scope - See Setting the scope.
• code_verifier - Required if using PKCE. The string used to generate the code_challenge value. See Generating the code_challenge value in the developer documentation.

The request must be over https and the properties must be formatted as JSON. If you use a custom or third-party application to make the API request, see its documentation for the proper format of property values.

Using curl

curl https://{subdomain}.zendesk.com/oauth/tokens \
  -H "Content-Type: application/json" \
  -d '{"grant_type": "authorization_code", "code": "{your_code}",
    "client_id": "{your_client_id}", "client_secret": "{your_client_secret}", 
    "redirect_uri": "{your_redirect_url}", "scope": "read" }' \
  -X POST

Example response

Status: 200 OK

{
  "access_token": "gErypPlm4dOVgGRvA1ZzMH5MQ3nLo8bo",
  "token_type": "bearer",
  "scope":"read"
}

The app can use the access token to make API calls. Include the token in an HTTP Authorization header with the request, as follows:

Authorization: Bearer {a_valid_access_token}

For example, a curl request to list tickets would look as follows:

curl https://{subdomain}.zendesk.com/api/v2/tickets.json \
  -H "Authorization: Bearer gErypPlm4dOVgGRvA1ZzMH5MQ3nLo8bo"