Using OAuth authentication with your application

Return to top


  • David Blevins

    Hi Support,

    Once the user has been authenticated, how can we use the ZenDesk API to figure out exactly who was just authenticated?  Is there an API call we can use to find the id of the user associated with the token and get basic information such as their email and what organization they belong to?

  • Cesar

    hi Greg!

    Excuse me for the late reply and it works well with `Implicit grant flow` &  `Password grant type`, but not with `Authorization code grant flow`. 

    Is there a more stepwise guide on how to get that flow working?


  • IT Support

    Good evening,

    In trying to setup the oauth authorization flow, I am getting a 405 on the preflight request to /oauth/tokens. I have double, triple and quadruple checked my code against the docs and examples, but with no success. Am I missing something in understanding what Zendesk expects to grant an access token? For example, am I running into errors because my origin is http://localhost:8081(i.e. not https)? Is there a way to avoid the sending a preflight with the OPTIONS method that's returning the 405?

    onMounted(() => {
    let authCode;
    if (route.query.code) {
      authCode = route.query.code

    const requestZendeskAccessToken = (authCode) => {
    const url = "https://{SUBDOMAIN}";
    const data = {
      'grant_type': 'authorization_code',
      'code': authCode,
      'client_id': '{CLIENT_ID}',
      'client_secret': '{SECRET}',
      'redirect_uri': 'http://localhost:8081/order/search',
      'scope': 'read write'
    }, data, {
      headers: {'Content-Type': 'application/json'}
      .then(data => console.log("Successful Access Token Req ", data))
      .catch(err => console.log("Failed Access Token Req ", err));

    // ...Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
  • Robert Newman

    We are also seeing this issue having cropped up in the last couple of weeks with our application that was working and there have been no changes on our end recently. 

    I have noticed in testing that the format of the access_token has changed it is now twice as long as some of the ones that were created. The older shorter tokens continue to work but I get a similar error message to Cesar when using the newer style tokens. 

    "The access token provided is expired, revoked, malformed or invalid for other reasons."

  • Georg

    Hi there, 

    We would like to allow a 3rd party service to pull data from our Help Center articles via API. If I get this right, OAuth authentication would be a good choice, but I don't see any option to restrict the API requests to ready-only. Is this possible? Does my question even make sense? ;-) 

  • Dainne Lucena
    Zendesk Customer Care

    Hi Georg

    This might be an article (OAuth Tokens-Scopes) worth checking out. It provides details regarding the scopes parameter so you can set the access as either "read" or "write". Hope this helps!

  • Georg

    Thanks, Dainne! 

  • Pavan

    Hi Support Team,

    How do I renew the token which is generated using https://{{baseurl}}/oauth/tokens? Please help.

  • Wyatt

    Hi, is there a way to force a user to re-login when they go through the OAuth flow? I tried adding  "&login=true" to the URL, but that did not work.

  • a a

    i am getting this error


  • Dainne Lucena
    Zendesk Customer Care

    Hi a a
    Based from the screenshot you provided I would suggest looking into this developer doc as well to help you with the Help Center API.

    The "invalid authorization request no such client" error can occur when the Client ID/secret is incorrect, or if an incorrect redirect URL is configured.

    The OAuth "Client ID" that should be used is the "Unique Identifier" value that's displayed in the Admin Center > Apps and integrations () > APIs > Zendesk APIs > OAuth Clients screen:

    If using our APIs to access the list of OAuth clients, it's the "identifier" attribute returned by the /api/v2/oauth/clients endpoint. Make sure to use this identifier value and not the 'id' value returned by the API.

    Hope this helps!

  • Mullai Rajan

    How to get the Client's data such as email id, username, etc., After being OneAuthenticated in my Application, to be specific after obtaining the access_token, How to extract or fetch the client's Data?

    Just like the JSON, we get from the 'me.json' request.


  • Dane
    Zendesk Engineering
    Hi Mullai,

    OAuth 2 is used to authenticate all your application's API requests to Zendesk. Once it has been completed, you can refer to Zendesk API, for all the available data that you can extract from your Zendesk instance.
  • Prashant Bajpai


    I generated the access token using OAuth client flow with "read" scope. When I try fetching any details, I get this error - 

    "error": "invalid_token",
    "error_description": "The access token provided is expired, revoked, malformed or invalid for other reasons."

    What am I doing wrong?

  • Dane
    Zendesk Engineering
    Hi Prashant,

    This error means that you are not using a valid token. It's possible that instead of an OAuth, you are just using an API token. Please try to follow the steps again and contact our support directly if you encounter the same issue. 
  • Walter

    Hi Dane

    Is there anyway to prevent the delete capability when I need the write scope for tickets and users?

  • Alex M

    For generate token i use link https://{{sub-domain}}
    after that try send request to endpoint
    and receive response:

    "error": {
    "code": "unauthorized",
    "details": "Required access token is missing, malformed, expired, or invalid.",
    "message": "request is unauthorized"
    Where problem? how it fix? i asked twice to support but did not receive suggestion
  • Mike dela Rosa
    Zendesk Customer Care
    HeyA Walter! Did check our list of scopes here: OAuth Tokens for Grant Types but there's not a way to exclude the delete capability as it's included in the write scope.
  • Robert Hung

    Hello! I have tested the two endpoints for revoking token, and noticed the one ending with /current does not work as expected. I get a 204 response, but I can continue using the same token for future requests.

    I did a comparison of the other revoke endpoint that requires you to pass in the /{oauth_token_id} and this works as expected - all subsequent requests return with a 401 unauthorized.

    Is this expected, or am I missing something?

    I would prefer to use that endpoint because the access token we provide does not have full read scopes, preventing the use of the show token endpoint to retrieve the oauth_token_id and revoke using the working endpoint.


Please sign in to leave a comment.

Powered by Zendesk