Announcing the deprecation of password access for APIs

Announced on	Rollout on
July 1, 2024	July 31, 2024

What's changing?

Starting July 31, 2024, we will no longer offer email and password as an authentication method for API calls for new accounts and for accounts that are not using this method. If you’re actively using this method today, you will be able to continue until December 31, 2025 and we will contact you separately over the following months with details on how you can migrate to API tokens or OAuth. As we prepare for the removal of the Password Access for APIs setting in Admin Center and the email/password authentication method, our documentation has been updated to only feature API token and OAuth as the supported authentication methods.

If our records indicate that you currently have the Password Access for APIs setting turned on but we have not detected any activity, we have emailed you to say that we will be turning off this setting over three weeks starting July 1. If you wish to continue using this feature, you will need to manually turn the setting back on by July 30. Once re-enabled, you will have until December 31, 2025 to switch to another authentication method.

Why is Zendesk making this change?

Your account security is our top priority. The option to access APIs with a username and password is inherently insecure as passwords can be compromised, reused and this method no longer aligns with modern best practices for API authentication. Removing the ability to use the same username and password for API access mitigates the risk of unauthorized access and changes to your account in case your credentials are compromised.

Are any alternatives available?

Yes, there are two secure alternatives for authenticating API calls. Using tokens requires very small change for users currently using password access. OAuth is a little more complicated but allows you to create tokens with granular permissions (read vs write, etc) and allows for more security conscious setups.

Note: each API token can be used by any verified user on the account and isn't associated with a specific user. Permissions are limited by the user role associated with the provided email address.

API Tokens: Learn more about API tokens here.

OAuth: Learn more about OAuth here

What do I need to do?

If you currently have the Password Access for APIs setting turned on but are not using the capability, you can safely turn the setting off. You can find it in Admin Center under Apps and Integrations > APIs > Zendesk APIs > Settings > Password Access for APIs. Once turned off, the setting will be removed from the page starting July 31, 2024.

If you do not turn the Password Access for APIs setting back on by July 30, no further action is required and the setting will be permanently removed from your account. If you wish to continue to use the capability, simply turn the setting back on before July 30 to continue access until December 31, 2025.

If you have feedback or questions related to this announcement, visit our community forum where we collect and manage customer product feedback. For general assistance with your Zendesk products, contact Zendesk Customer Support.