When you provide conversational support, users might try to carry on a conversation across multiple devices and channels. By authenticating end users, you can make sure all points of contact are associated with the correct end user. This can enhance the quality of support your agents provide and increase the security of sensitive information that might come up while agents assist your end users.
- Terminology for messaging authentication
- Overview of implementing messaging authentication for end users
- Creating and sharing a signing key
- Authenticating end users with only an external ID
- Incorporating email identities into your user authentication
- Resolving conflicts between external IDs and emails in JWTs
Related article: Understanding user authentication for messaging.
Terminology for messaging authentication
- JWT: Zendesk uses signed JSON Web Tokens (JWTs) to authenticate end users for messaging. These tokens contain details that verify the identity of the end users. For more information about JWT, see jwt.io.
- Signing key: A signing key is created by a Zendesk admin in Admin Center and shared with a developer on your team, who then uses it to sign the JWT as necessary.
- External ID: An alphanumeric string, such as an ID from an external system, that is unique to each user. This is the primary identification for messaging authentication, even when an email address is included in the JWT.
- User name: (Optional) The name of the end user associated with the external ID or email address. If you include the user's name in the JWT, it appears in the Agent Workspace. This information can help agents communicate with end users.
- Email: (Optional) The unique email address associated with an end user.
Overview of implementing messaging authentication for end users
Zendesk uses JSON Web Tokens (JWTs) to authenticate messaging end users, which provides a flexible and stateless way to verify user identities and secure API endpoints.
- The process of messaging authentication begins with an admin generating a signing key and providing it to a developer. Then the developer uses the signing key to implement a back-end service that can create signed JWTs for users as requested.
- When requested, the back-end service creates and returns signed JWTs to your website or mobile app. The JWTs created by this service must include a unique external ID and, optionally, an email address to identify the end user.
- Anytime the user is logged in, your website or app needs to call an equivalent login API available for Web Widget and mobile SDKs, at which time the JWT is passed to Zendesk to verify the claimed identity of the user.
For more information, particularly for the developers on your team, see Enabling authenticated visitors for messaging with Zendesk SDKs or watch the following video:
Authenticating end users in web messaging (17:22)
Creating and sharing a signing key
Signing keys are used by developers to create JWTs for end users. You must be an admin to create a signing key. You can create a maximum of 10 keys. If you attempt to create a new key after reaching your limit of 10, you are prompted to delete unused keys.
- In Admin Center, click
Account in the sidebar, then select Security > End user
authentication. - Click the Messaging tab, then click Create key.
If you are creating your first key, Create key appears at the bottom of the page. Otherwise, it appears in the top-right corner.
- Enter a Name for the key and click Next.
- When prompted, click Copy to copy the shared secret.
The key is saved and an ID is automatically assigned. You can find a key's ID in the list of keys on the Messaging tab of the End user authentication page.
- Confidentially send the key's ID and the shared secret you copied to your developer.
- Click Hide key forever.
Authenticating end users with only an external ID
To authenticate an end user, you must supply an external ID in the JWTs you issue to users. Zendesk uses the external ID provided in a JWT as the primary identifier for user authentication for messaging. When performing the user authentication, Zendesk first resolves an existing user with the external ID. If an email address is included in the JWT, it is used to resolve user identity only when no existing users match the external ID.
Signing JWTs with an external ID only
- external_id: (Required) This is the unique alphanumeric string that can be used to identify each user. See Selecting the external ID to use in JWTs issued to users.
-
scope: (Required) The caller's scope of access. The only valid value is
user. - name: (Optional) The name of the user. Including the name in the JWT payload allows Zendesk to display the user's name in the Agent Workspace and helps your agents provide more customized support.
{
"external_id": "12345678",
"scope": "user",
"name": "Jane Soap"
}Selecting the external ID to use in JWTs issued to users
- An external ID must be an alphanumeric string.
- External IDs can be a maximum of 255 characters.
- Each user's external ID must be globally unique at the account level.
If your account has multiple brands, external IDs must be unique across all brands.
- A user's external ID should never change.
- A user can have only one external ID assigned to them.
Some examples of good choices for external IDs include: an incremented or randomized ID assigned at initial contact (example: usr_12345) or, for multiple brands, a brand-specific identifier combined with an incremented or randomized ID assigned (example: brand1_a8dedg).
Avoid using the user's email address and phone number because these can change over time and users can have multiple values. Also avoid the user's name, since this may not be unique.
Incorporating email identities into your user authentication
- Authenticated users are authenticated through signed JWTs.
The use of JWTs provides a trustworthy approach because the content of a signed JWT can't be tampered with by end users. If you're concerned about impersonation attacks, you should restrict email identities to authenticated end users. This is the most secure option and is the default configuration for new Zendesk accounts.
- Unauthenticated users are end users who provide an email address in response
to a prompt by a Zendesk bot.
Keep in mind that permitting the use of email identities for unauthenticated users can make you vulnerable to people impersonating other users by providing an email address they don't own.
The following flow chart demonstrates how email identities can be used in your messaging authentication:
Configuring email identities
With the Web Widget or mobile apps, users can provide their email address in response to a form or AI agent prompt. In these scenarios, there's nothing preventing a malicious user from providing someone else's email address in an attempt to impersonate them. However, using JWTs to authenticate users with both external IDs and email identities is a more trustworthy way to assign email addresses to users.
Depending on your settings, agents could see both form-collected and JWT-provided email addresses in user profiles. On new Zendesk accounts, email identities are turned on and configured to use only verified email addresses. This is the most secure option. Older accounts are configured to use both verified and unverified email addresses.
- In Admin Center, click
Channels in the sidebar, then select Messaging and social >
Messaging. - Click Manage settings.
- Click Email identities, and then select one of the following
options:
- Use only verified emails: (Default) Email identities are created only for users who are authenticated and have a verified email address included in their issued JWT.
- Use both verified and unverified emails: In addition to the email identities for authenticated users with verified email addresses being visible in user profiles, unverified email addresses provided by users through AI agent flows are also added to the user's profile.
- (Not recommended) If you want any user, even unauthenticated users, to be able to claim verified email addresses, select Unauthenticated user can claim verified emails.
- Click Save settings.
Using only verified emails
Email identities are created only for users who are authenticated and have a verified email address included in their issued JWT.
With this option, agents see the email address provided by unauthenticated end users in the conversation history, but they won't see an email identity attached to the user. If an agent needs to follow up with an unauthenticated user over email, they must manually add the email identity to that user record.
Using both verified and unverified emails
In addition to the email identities for authenticated users with verified email addresses being visible in user profiles, unverified email addresses provided by users through AI agent flows are also added to the user's profile.
This option is less secure because malicious users could still attempt impersonation attacks. However, agents can inspect the user profiles to determine whether an email address is verified. Unverified email addresses are clearly marked in the Agent Workspace. When agents need to send email follow-ups, they can be instructed to verify end users with security questions to increase confidence that the end user is who they say they are.
| Event order | Event | Resulting email identity |
|---|---|---|
| 1 | An unauthenticated user provides a form-collected email. For example, alice@example.org | Zendesk creates a new, unauthenticated user (id: 12345) with the unverified email identity (alice@example.org). |
| 2 | An authenticated user is issued a JWT with the following
claims:
|
Zendesk creates a new, authenticated user (id: 22345) with
a verified email identity (alice@example.org). The unauthenticated user (id: 12345) loses its unverified email identity because it was superseded by a verified identity. |
Allowing unauthenticated users to claim verified emails (not recommended)
In contrast to the other email identity options, this setting allows users to assume the identity of authenticated users simply by providing that user's email address when prompted. When selected, verified emails don't supersede unverified emails.
This option is the least secure and most susceptible to impersonation attacks. However, diligent agents can still detect potential imposters in this scenario by looking for the green check mark icon on the user's profile and next to their messages, which indicates whether the user is authenticated.
When you select this option, the verification state of email identities collected from messaging channels is no longer trustworthy because an imposter can show up after a user is authenticated and take possession of their email status in a later messaging interaction. This means impersonation attacks are more likely to succeed and agents have limited means of knowing whether the end user is who they claim to be. However, verified email identities still supersede unverified email identities and the email identity is removed from the imposter's user record.
Issuing JWTs with email addresses
- external_id: (Required) This is the unique alphanumeric string that can be used to identify each user. See Selecting the external ID to use in JWTs issued to users.
-
scope: (Required) The caller's scope of access. The only valid value is
user. - name: (Optional) The name of the user. Including the name in the JWT payload allows Zendesk to display the user's name in the Agent Workspace and helps your agents provide more customized support.
-
email: (Required) The email address of the user being signed in.
Must be unique to the user.
Set the email address to the user's primary email address in Agent Workspace. The inclusion of secondary email addresses in JWTs isn't supported.
-
email_verified: (Optional) Whether the end user in question has
proven ownership of the email address. If you want end users to have
verified email identities, the JWTs you issue must contain both
emailand"email_verified": trueclaims.
{
"external_id": "12345678",
"email": "janes@soap.com",
"email_verified": true,
"name": "Jane Soap",
"scope": "user"
}Resolving conflicts between external IDs and emails in JWTs
Zendesk uses the external ID as the primary identifier, with email addresses being used only if no matches are found for the external ID.
It's best to implement messaging authentication with conflict-avoidance in mind. For example, pick your external IDs and email settings in Zendesk to ensure they can't conflict. If, however, an email address presented in a JWT is already associated with a different external ID, Zendesk rejects the JWT and the end user's login attempt fails. When this happens, the conversation begins with the user in an unauthenticated state.
- Update the JWT to use a different
external_idvalue oremailaddress.OR
- Delete the user with the conflicting
external_id, freeing it up to be used by a different end user. See Delete User in the Sunshine Conversations API.
158 comments
Mick O'Donnell
Hi all,
I can confirm that we're currently to delivery for this update of displayed verified email address in Agent Workspace once the end user is authenticated by the end of this month (January).
8
Richard Homewood
Hello Zendesk,
Just wondering if you have an ETA on the current limitation on Email addresses in Agent Workspace
This limitation has been around since 2022 must is a much required feature in agent workspace, without it, it is not a viable end user solution.
2
Oscar Valecillos
Hi, is this valid for Sunshine Conversation as well? If I send the external_id on the SunCo JWT the user is not recognized on Zendesk
2
Tobias Hermanns
Hi!
we authenticate our users through SSO, does we still need implement JWT here?
I thought as user is login and have access to Ticket History and more, starting a Messaging chat, is auto detect them, easy and smooth, seems not, will this address to be more easy in future?
Does Zendesk Authentication do it different compare to SSO? (Auto Detect Organization, Name) when opening Messaging or also JWT is required here?
Thanks.
0
BVNK Services Integration
Hi Mick,
Are we still on track to fix the email missing from authenticated users this month?
Looking forward to that feature!
3
Jason Bourgoin
Hi Mick,
Any updates on this email issue / date of delivery? What is the recommended work-around to get an email value for an authenticated user at time of ticket?
1
BAKO
Mick O'Donnell
Hello, what is the status of relaying email addresses to the agent workspace with the authentication feature?
0
Mor Cohen
Hey,
When I go to the admin center -> end-user authentication
I don't have any messaging tab.
What could be the issue?
Thanks!
0
Mike DR
You would need to have an active Zendesk Support account in order to have Messaging enabled. The feature you're looking for will show up once Messaging is enabled for your account.
1
Mor Cohen
Thanks Mike, will do
0
Antonius
Mick O'Donnell any news for this update of displayed verified email address in Agent Workspace?
Thanks
We are dealing with this on 1 env already and it is one of the blockers to start using messenger on others.
1
Anton Yudin
Hello! I tried to send custom user fields inside JWT token payload while authenticating a user. But it looks like these custom user fields are not filled if I check them in the related user request on the dashboard
1
Jens Herlevsen
Mick O'Donnell Did you manage to get this feature released in January? :-)
0
Anton Maslov
Jens Herlevsen it was released today:
https://support.zendesk.com/hc/en-us/articles/6739639144730-Announcing-authenticating-messaging-end-users-using-signed-email
1
AntonMi
When the returning end-user authenticates mid-conversation, a Ticket 2 will automatically close with `closed_by_merge` tag, and the conversation will continue in the original Ticket 1.
What I find confusing is that this closed Ticket 2 does not have any link to Ticket 2. So the agent can't follow up. Can it be fixed somehow?
0
Prakruti Hindia
Hi everyone,
Thank you for your patience. We have rolled out support for authentication using signed email. You can find more information in the announcement post.
- Prakruti
2
Antonius
AntonMi I have noticed that too.
Even ticket is visible in the user thread, it would be nice to have internal note added to it, same we have when we manually merge 2 tickets.
1
David
Hi Anton
If that ticket is closed/merged, the agent shouldn't need to follow-up to the closed ticket as that conversation is in the original ticket now.
0
AntonMi
That's exactly the issue - The ticket closes, and the agent has no easy way to find the original ticket, where the conversation continues.
0
Jahn
Hi @Prakruti Hindia - will this Announcing authenticating messaging end users using signed email fix the web user issue that we are still having?
0
Bobby Koch
does this article need updating in the limitations section? we are confused
0
Bobby Koch
Prakruti Hindia ^
0
Keith
Our users sign into the Help Center. We then want to chat with them. When a ticket is created from the chat it creates a new generic user, it does not use the profile of the signed in Help Center user. Do we have to treat the Help Center like a third party app and build some sort of authentication into the chat, even though the user is already signed into the Help Center?
0
Ryan Nally
Hey Thomas, What do mean by adding that code snippet to the Help Centers's head. How are you doing this? Form what I'm seeing, my company has setup and managed the help center all from the zendesk UI. It is completely separate from our application's codebase.
0
Beatrice Schembri
Hi Thomas, I am also interested in knowing if and how we can access the Zendesk Help Center source code. Unless you meant a custom help page created by us clients?
0
Beatrice Schembri
Thanks Thomas
I see the issue now - we don't have the option to edit the code with our current theme free plan. I will keep this in mind.
0
Chris Batt
The last paragraph doesn't match what we're seeing in production, and seems to contradict itself:
So we expect that if we send the `external_id` and `email` in the JWT, and the `external_id` is not matched to a user, but the `email` is matched to a user, that user is authenticated. However, we observe some vastly different outcomes depending on whether we're testing in Sandbox vs. Prod, or whether the user has a verified or unverified email address, or whether we include `email_verified` in the JWT, but there is no scenario we've seen where a user is authenticated as an existing user when the `email` matches and when the `external_id` doesn't. We see instead, a new user is created, or the login request fails. The latter outcome seems to agree with the next sentence following the one above:
Which is essentially saying “if the external_ids don't match, but the emails do, we authenticate the user, except if the external ids don't match”. So my question would be under what circumstances exactly would the `email` be used to authenticate the user as a fallback when the external ids don't match?
* this was not the case in sandbox testing, where we never saw logins fail, and a new user was created each time, which was seriously confusing why sandbox would behave different than prod. The results were also different in that depending on the user's email verification status, the newly created user would inherit the email, and multiple results would be returned from the API search endpoint when querying on the email. This all made testing and implementation incredibly difficult.
4
Darlene Pinto Costa
Does anyone have an example of authentication with nextjs?
Today the use is script, ex
<scriptid='ze-snippet'src='https://static.zdassets.com/ekr/snippet.js?key=123456'/>0
Bom Proapp
Hi,
I need guidance on managing the login between the web login and the Zendesk end-user messaging login to keep them both synchronized.
Typically, I set the web session and JWT token to expire at the same time. However, there may be additional scenarios as follows:
0
Bom Proapp
zE('messenger', 'loginUser', function (callback) {
callback(token);
})
I get 401 authentication error, and I want to know how to catch this error. I use try/catch for callback(token), but it's not work.
Thanks
0