• JWT: Zendesk uses signed JSON Web Tokens (JWTs) to authenticate end users for messaging. These tokens contain details that verify the identity of the end users. For more information about JWT, see jwt.io.
• Signing key: A signing key is created by a Zendesk admin in Admin Center and shared with a developer on your team, who then uses it to sign the JWT as necessary.
• External ID: An alphanumeric string, such as a user name or ID from an external system, that is unique to each user. This is the primary identification for messaging authentication, even when an email address is included in the JWT.
• User name: (Optional) The name of the end user associated with the external ID or email address. If you include the user's name in the JWT, it appears in the Agent Workspace. This information can help agents communicate with end users.
• Email: (Optional) The unique email address associated with an end user.

1. The process of messaging authentication begins with an admin generating a signing key and providing it to a developer. Then the developer uses the signing key to implement a back-end service that can create signed JWTs for users as requested.
2. When requested, the back-end service creates and returns signed JWTs to your website or mobile app. The JWTs created by this service must include a unique external ID and, optionally, an email address to identify the end user.
3. Any time the user is logged in, your website or app needs to call an equivalent login API available for web widget and mobile SDKs, at which time the JWT is passed to Zendesk to verify the claimed identity of the user.

• Zendesk Agent Workspace is activated.
• You're using the web widget or mobile SDK channels for messaging.

• You associate email identities with end users.
• If you want authenticated users to have verified email identities, the JWTs you issue to end users must contain both the email and email_verified: true claims.

1. In Admin Center, click Channels in the sidebar, then select Messaging and social > Messaging.
2. Click Manage settings.
3. Click Email identities, and then select one of the following options:
   • Use only verified emails: Email identities are created only for users who are authenticated and have a verified email address included in their issued JWT. Agents can still manually add an email identity to a user record.

     With this option, agents see the email address provided by unauthenticated end users in the chat history, but they won't see an email identity attached to the user in the essentials card. If an agent needs to follow up with an unauthenticated user over email, they must manually add the email identity to that user record. If the unauthenticated user's email address already exists on a different user record, the agent has the option to merge the two user records.

     Prior to manually adding an email identity or merging two user records, we recommend having your agents perform an identity verification check to prevent social engineering attacks.

   • Use both verified and unverified emails: Email identities are created both for users who are authenticated and have a verified email address in their JWT as well as for unauthenticated users who provide email addresses through bot flows. With this option, agents are more likely to find the end user's email address in the essentials card, and email identities for unverified email addresses are clearly marked as unverified in the Agent Workspace. When needed, agents can ask end users to authenticate if they need to send email follow-ups.

     In the event of a conflict, verified email identities supersede unverified email identities.

4. (Optional, but not recommended) If you want any user, even unauthenticated users, to be able to claim verified email addresses, select Unauthenticated user can claim verified emails.

   When you select this option, the verification state of email identities collected from messaging channels is no longer trustworthy because an imposter can show up after a user is authenticated and take possession of their email status in a later messaging interaction. This means impersonation attacks are more likely to succeed and agents have limited means of knowing whether the end user is who they claim to be. However, verified email identities still superscede unverified email identities and the email identity is removed from the imposter's user record.

5. Click Save settings.

• external_id: (Required) This is the unique alphanumeric string that can be used to identify each user. Commonly, these IDs are pulled from external systems. An ID can't exceed 255 characters.

  Zendesk uses the external_id as the primary identifier for users authenticating over messaging. When authenticating a user with a valid JWT, Zendesk first resolves an existing user with the external_id. If no external_id match is found, users are resolved using the email address provided. See Issuing JWTs with email addresses.

• scope: (Required) The caller's scope of access. The only valid value is user.
• name: (Optional) The name of the user. Including the name in the JWT payload enables Zendesk to display the user's name in the Agent Workspace and helps your agents provide more customized support.

• email: (Required) The email address of the user being signed in. Must be unique to the user.

  Set the email address to the user's primary email address in Agent Workspace. The inclusion of secondary email addresses in JWTs isn't supported.

• email_verified: (Optional) Whether or not the end user in question has proven ownership of the email address. If you want end users to have verified email identities, the JWTs you issue must contain both email and "email_verified": true claims.

{
    "external_id": "12345678",
    "email": "janes@soap.com",
    "email_verified": true,
    "name": "Jane Soap",
    "scope": "user"
}

• Update the JWT to use a different external_id value or email address.

  OR

• Delete the user with the conflicting external_id, freeing it up to be used by a different end user. See Delete User in the Sunshine Conversations API.