Update, January 25th, 2022: End user authentication is now available for all Zendesk customers who have messaging enabled. Detailed support documentation is listed below:
- For Zendesk Admins implementing end user authentication, a detailed guide can be found here.
- For the developers of Zendesk customers, detailed developer documentation can be found here.
- For Zendesk Agents, this guide can explain the impacts on the agents' experience.
For many of our customers, an important part of a customer service experience is the ability to be able to verify the identity of a user and to be able to reflect that verified user's identity to their support agents. Authentication enables agents to be assured of the identity of the person who they are communicating with, which in turn can enable them to make decisions on next actions in the conversation, or to share sensitive information which may help to progress a support case.
Zendesk is aiming to deliver end user authentication for all Zendesk customers that have messaging and Agent Workspace enabled in January, 2022. If you are a business planning on implementing end user authentication for messaging, or require end user authentication functionality in messaging in order to use the product, we have provided a high level summary below on how authentication in messaging will work, and give you some guidance as to what will be needed in order to set up authentication on your website or mobile apps.
In January, we will release more detailed admin documentation to describe the changes to Admin Center, as well as detailed developer documentation that will define the steps that your developer will need to execute.
How end user authentication will work
End user authentication is quite straight forward, but there are a number of key concepts that Zendesk Admins and your developer should be aware of:
- JSON Web Tokens (JWT) for authentication. Zendesk uses JSON Web Tokens (JWT) for authentication in messaging. For a deep dive on JWTs, jwt.io is an excellent resource. Zendesk uses signed tokens that verify the integrity of the claims contained within them.
- The signing key. Your Zendesk Admin will need to create a signing key in Admin Center (illustrated below) that your developer will be able to use to sign the JWT with whenever it's required. The creation of the signing key will be a straightforward process in Admin Center. We will provide detailed instructions for your Zendesk Admin on the management of signing keys with the release of authentication.
- A unique user identifier. An externalId is a string that can have any value you like, but must be unique within a given Zendesk brand. Examples of externalIds include usernames, GUIDs, or any existing ID from your own user directory. The externalId should map to a unique identity in your existing user directory. The externalId should always reference an external entity; in other words you should not reuse any id that was assigned by Zendesk as an externalId. When choosing an externalId you should also ideally avoid using user properties that change, like a phone number.
- Users' name and email address. Your business will be able to send the users' name and/or email in the JWT payload at authentication time, but it is not necessary to do so. All Zendesk needs to authenticate your user is a unique user identifier in the signed JWT payload. Including the name or email may assist your support agent in communication with your user however, as this information will be reflected in Agent Workspace.
NOTE: If the email address is not used as the unique user identifier, the email address will not be displayed in Agent Workspace initially. This is a limitation of the product that we are working to remove. See the Product Constraints section below for more information.
How these concepts work together
The first step is for your Zendesk Admin to create the signing key in Admin Center, and provide this key (which will contain a secret) to your developer. Your developer will then need to implement a service on your business' back-end that can create the signed JWT and return this to your website or mobile app when requested (steps 1 and 2 below). Any time your user is logged in to your website or app, your developer will need to call an equivalent login API which will be provided in both the Zendesk Web Widget and the Mobile SDKs. At login time, the JWT will be passed to Zendesk in order to verify the claimed identity of the user (step 3 below).
Once this is complete, the user is authenticated and their identity has been verified with Zendesk, the user will not be prompted to provide their name or email address when being transferred to an agent. The user will appear as verified in Agent Workspace (as illustrated below). If the user was already engaged in a conversation with an agent prior to being authenticated, their conversation with the support agent will not be interrupted.
There are two important product constraints that will remain with this rollout of end user authentication in messaging:
- Guide articles that require user authentication will not be accessible. We will be required to make additional improvements to the messaging product in 2022 to enable users to view Guide articles that require user authentication. Guide articles that require authentication will not be available to users initially, even if they are authenticated. Articles that do not require user authentication are not impacted.
- Email addresses in Agent Workspace. The email address of the end user will not be visible in Agent Workspace initially. This is also a limitation that we will be actively working to remove in 2022. We would encourage businesses who wish to view the user’s email address in Agent Workspace to include this data in the JWT payload in order to prevent future development once this limitation is removed, but it is not necessary.
Planning the set up of end user authentication
There are three distinct pieces of work that you will need to plan in order to implement authentication via the Zendesk Web Widget and/or the Mobile SDKs.
1. Creating the signing key
Creating the signing key in the Admin Center will be a straightforward task. We will provide a guide for your Zendesk admin with the release of authentication in order to support your admin in this initiative.
2. Creating a back-end service to create and sign the JWT
The creation of a back-end service to create and sign the JWTs will require more effort, and you should ask your developers to estimate the effort for this activity. You should allow additional time for processes such as internal security audits, and data management reviews. We will provide a detailed developer document with the release of authentication in order to support your developers in this initiative.
3. Implement authentication in the Zendesk Web Widget or Mobile SDKs
Assuming that you have already migrated to messaging, on each client platform that you support, your developer will need to implement a call to the new login and logout APIs that Zendesk will provide for each client platform. We will provide a detailed developer document with the release of authentication in order to support your developer in this initiative. If you have not yet migrated to messaging, you should complete this migration in advance of setting up end user authentication.
Businesses planning to implement authentication for the Zendesk Web Widget or Mobile SDKs at the beginning of 2022 should plan to allow effort to complete the above tasks once the authentication release is available in January. Once the release is available, it will be announced in Zendesk's monthly marketing email, and will be communicated in the release notes for the Zendesk Web Widget and Mobile SDKs. If you encounter any issues in setting up authentication, we'll be happy to support you on Zendesk Community, or through a dedicated support ticket.