This article is intended for Zendesk administrators. For information on the tasks required for developers, see Enabling authenticated visitors.
This article includes the following topics:
About end user authentication for web and mobile messaging
End-user authentication is, simply put, verifying the identity of an end user. The verified end user’s new messaging request can then be connected with their past conversations, allowing agents to better support them.
This section includes the following topics:
Understanding key elements
To understand how end user authentication for messaging works, you should be familiar with the key elements involved in the authentication process:
- JSON Web Tokens (JWT) for authentication. Zendesk uses signed JSON Web Tokens (JWT) for authentication in messaging. These tokens verify the identity of the end users. See jwt.io for detailed information on JWTs.
- Signing key. A signing key is created by a Zendesk admin in Admin Center, and shared with your developer, who will then use it to sign the JWT as necessary. See Creating and sharing the signing key.
- Unique user identifiers, or external ids. These are alphanumeric strings (usernames or customer ID numbers, for instance) that are unique to each user. If you have multiple brands in your Zendesk account, a user must have a unique identifier in each brand.
- User name(optional). Including the name may help agents communicate with end users. If this information is collected and included in the JWT, it will appear in the Agent Workspace. However, it is not required.
Overview of the setup process
To enable end-user authentication, your Zendesk Admin first needs to create the signing key in Admin Center and provide this key (which will contain a secret) to your developer. Your developer will then need to implement a service on your business' back-end that can create the signed JWT and return this to your website or mobile app when requested (steps 1 and 2 in the image below). Any time your user is logged in to your website or app, your developer will need to call an equivalent login API which will be provided in both the Zendesk Web Widget and the Mobile SDKs. At sign-in time, the JWT will be passed to Zendesk in order to verify the claimed identity of the user (step 3 in the image below).
How the end-user and agent experiences are impacted
Once authentication for messaging is implemented, end users and agents will see slight changes in their experiences:
- End users: Once they have been authenticated and their identity has been verified with Zendesk, the end user will not be prompted to provide their name or email address by the messaging bot as part of the default messaging response.
-
Agents: Verified end users will be identified in the Agent Workspace by an authentication icon:
The agents will be able to view the external id as part of the end user's profile.
If the external id provided with the API matches the external id of an existing user, the messaging ticket will be referenced against the existing end user.
When an end user authenticates:
- A new end user will be created. The messaging ticket of the anonymous user will be associated with the newly-created user with the external id.
- If the authenticated end user has a non-closed messaging ticket, that ticket will be updated with the new messages.
- When an end user signs out, a new end user and new messaging ticket will be created for the subsequent conversation.
For example:
- End user A sends a message without signing in. User 1 and Ticket 1 is created.
- End user A signs in mid-conversation. User 2 is created with an external id (if no user with the external id exists).
- Conversation continues in Ticket 1 and the requester is updated to User 2.
For returning authenticated users, there’s a background ticket merge to ensure conversational continuity. For example:
- End user A has an open Ticket 1 as an authenticated user.
- End user A logs out.
- End user A sends a message without signing in. User 2 and Ticket 2 are created.
- End user A signs in again mid-conversation. Authenticated User A is retrieved via the external id and the anonymous and authenticated conversations are merged.
- Conversation continues in Ticket 1 and Ticket 2 is closed.
See Working with authenticated end users in the Zendesk Agent Workspace.
Creating and sharing the signing key
As mentioned in the section above, a Zendesk administrator must create a signing key and share it with the developer for use in the JWT. You can store up to 10 keys. Creating a signing key also enables messaging metadata variables in Flow Builder.
To create and share a signing key
- In Admin Center, click
Account in the sidebar, then select Security > End user authentication. - Click the Messaging tab, then click the Create key button. If you are creating your first key, this button appears at the bottom of the page; if you have previously created a key, it appears in the top-right corner.
- In the Create new key dialog, enter an identifying name for the key, then click Next.
- In the Copy shared secret dialog, click Copy to save the secret to your clipboard, then click Hide key forever.
You’re returned to the Messaging tab, where the new key appears in the signing key list with the first six characters of the secret shown.
- Confidentially send the key ID and the shared secret key to your developer, who can then use it to create the JWT. See Enabling authenticated visitors for more information.
If you generate a new key but have reached your 10-key limit, a notification appears, asking you to delete any unused keys.
To delete an unused key
- In Admin Center, click Account in the sidebar, then select Security > End user authentication.
- Click the Messaging tab.
- Hover over the key you want to delete, then click the option menu icon and select Delete.
- Confirm the action by clicking Delete key.
Current limitations
The following limitations apply to the current version of end-user authentication in messaging:
- Restricted Guide articles. Guide articles that require authentication will not be available to users initially, even if they are authenticated. We will make additional improvements to the messaging product to enable users to view Guide articles that require user authentication. Articles that do not require user authentication are not impacted.
- Email addresses in Agent Workspace. The email address of the end user will not be visible in Agent Workspace initially. This is also a limitation that we are actively working to remove. We would encourage businesses who wish to view the user’s email address in Agent Workspace to include this data in the JWT payload in order to prevent future development once this limitation is removed, but it is not necessary. Alternatively, you can use external id to surface email address, if the email address is a unique identifier for your customers.
106 Comments
Hi,
Hi, as per this article when do you think realistically the email address will be included in the newly created contact. This is important for us before we go live with chat on our site and we have been told on numerous occasions that this is coming soon but over a year later this is still a problem.
When a user of our site is logged into our site and engages with ZD messaging, we log them into the Zendesk chat using a JWT token that contains name, email and external Id.
Whilst the name and external id are set, the email address is not and it is vital to our operations to ensure this is automatically set rather than our agents having to manually set it which is both error prone and time consuming.
Please can you give an update on this work with a realistic timeframe for it being implemented?
Thanks
It is now Q2, is there any update on this improvement for the ability to pass the email address? The metadata is now available in flow builder, how come it cannot pass into agent workspace?
Our organization found another workaround for passing in the email address: before authenticating to messaging, we generate the token used for SSO authentication, and have the browser make a call to the Zendesk JWT SSO endpoint https://support.zendesk.com/hc/en-us/articles/4408845838874-Enabling-JWT-single-sign-on#topic_w5x_1fh_3fb (in no-cors mode, ignoring the response). We also set the same externalId for each user on both SSO JWTs and messaging JWTs.
The end result is that anyone signing into messaging has their account linked to the one used by SSO, and the email shows up as you'd expect.
Is there an ETA on a fix cause this does not work as expected:
Scenario's:
ONLY when you merge the logged in Messaging user and the existing email user profiles you can achieve a mapping to the same user. But since Zendesk does not show the email address of the logged in Messaging anywhere in the interface, there is no way for an agent to know who to merge too.
EXCEPT if you have SunCo, you can then do some API lookups and retrieve the required values to be able to merge the users.
I recorded a video below that explains it better:
https://youtu.be/5HwXmZPz2pU
And wrote an in depth technical write up about it here:
https://internalnote.com/deepdive-into-messaging-profiles/
Thomas (internalnote.com) You need to use external ID to match users with one another.
When a user is created in your system, you need to create it in Zendesk with the given external ID from your system. Meaning, you need to use the Create or Update API endpoint, to create a user in Zendesk every time a User is created in your system.
When a user signs into messaging and is authenticated using JWT, you need to pass external ID as a parameter.
This will automatically merge the User that just signed in, with the user that is already created in your system, linking the Messaging Ticket immediately.
To circumvent Zendesks implementation of the JWT authentication, I'd also recommend always having a User Create or Update Call before passing the JWT auth.
This will guarantee that even if a new user is logged in through Messging, the user is first created with his Email and external ID, and then can be merged into for future Messaging conversations.
Hey,
That was supposed to work, but in my testing (video in Loom) that does not work as expected.
Thomas (internalnote.com) Wow.
I just watched your video and I am stunned by how this feature is still not properly implemented yet. I am glad I postponed our implementation after taking an initial look at it.
My impression was, and even from reading the support article, this is the behavior I would expect, is that once a user authenticated through messaging, a user is with an external_id is created in Zendesk, and merged into potentially an existing user (if that existing user shares the external_id).
The current state of the implementation seems like a bit of a mess, since the "external id" that is shown... is not actually an external ID as you would expect in Zendesk. It's just the SunCo external ID surfaced next to the user...
I would like to make an enhancement request for the flow below.
From my experience, even if Ticket 2 is closed, it simply adds a "closed_by_merge" tag, and the agent doesn't know if it was merged by the ticket, but the user doesn't know.
As a handy example, when an agent merges a ticket, a comment like the one below is left on the ticket.
Request #330434 "merge test1" was closed and merged into this request. Last comment from request #330434:
This request has been closed and merged into request #330435 "merge test2".
I think the comments above are also necessary when merging messaging tickets.
There is one more user here in South Korea waiting for the "email address mapping feature".
Hi everyone and Zendesk product team,
I have found that the messaging widget and classic web widget (Enabling authenticated visitors in Web Widget (Classic) – Zendesk help) has similar features related to jwt auth.
Expiration time of token must be within 7 minutes and you should rotate it before its expiration time while chatting.
Why didn't you mention this in the documentation for the messaging widget?
And I am also waiting for the "email address mapping feature".
Quick update from my side:
Apparently my Zendesk account was tagged with an internal flag that prevented External ID matching. This flag has now been removed by Zendesk Support and the issue was resolved.
The only remaining feature gap is now the lack of email matching for scenarios where users do not have an external ID set.
Thomas (internalnote.com) Thank you for your article on `internalnote.com`. Very hot topic.
Apparently we all have access to Sunshine Conversation keys inside of the Admin Panel now?
If so you can use this flow to do a lookup of users and merge profiles:
https://internalnote.com/deepdive-into-messaging-profiles/
GitHub - verschoren/messaging_user_merger
Hi, I would like to prefill the message for the user. Is that possible?
Hi, Prakruti Hindia Mick O'Donnell
Is there any update on this improvement in the ability to pass the email address for newly created users? We recently changed to messaging channel, this issue affects us heavily. Because we can't send follow-up messages without the user's email in the ticket. That does not make sense. Please solve this issue sooner.
Please sign in to leave a comment.