How can I fix 409 conflict errors with JWT authentication?

Question

Why do I see a 409 conflict error when I authenticate users with JWT authentication in messaging?

Answer

With JWT authentication, an external_id is always required, and a verified email identity can optionally be included as well. When a verified email identity is included, Sunshine Conversations will store that email as an identity (user.identities), and these identities must be unique. For example, a JWT login might create a user with external_id 1234 and the email identity user@example.org.

An email conflict error indicates that the JWT being presented has an external_id and email pairing that do not match what is already on record. For example, if a subsequent JWT contains the external_id 5678 and the verified email identity user@example.org, then the login attempt will produce an email conflict error. This is because the given email has already been paired with a different external_id. This mismatch can sometimes occur because a user has changed their email address. If the JWT didn’t have the email claim, then the conflict would not occur.

To resolve this behaviour and allow users with an updated external_id to log in via JWT authentication, you must delete the previous user.id that you linked to the first external_id.

Make an API call:

Basic authentication, use an API key and a secret key
- Username: API_KEY_ID
- Password: API_KEY_SECRET
API method: DELETE
- https://<subdomain>.zendesk.com/sc/v2/apps/{appId}/users/{userIdOrExternalId}

Within the above URLs, replace the {appId} with the ID provided when generating the API key and secret key, and replace the {userIdOrExternalId} with the previous external_id linked to the user who returns the error.

For more information about the Sunshine Conversations API, see this article: Welcome to the Sunshine Conversations API.

Disclaimer: If you follow the above steps to delete the userIdOrExternalId, you will swipe the conversation history for the end user, when end users authenticate with the new ExternalId, after you delete the UserID from Sunshine Conversations. This article is provided for instructional purposes only. Zendesk does not support or guarantee the code. Post any issues you have in the comments section or search for a solution online.

Another option is to delete the user personal information from Sunshine Conversations. You will not delete the conversations in the Sunshine Conversations profile with this end point: Delete User Personal Information.

API method: DELETE
- https://<subdomain>.zendesk.com/sc/v2/apps/{appId}/users/{userIdOrExternalId}/personalinformation

For more information, see this article: Authenticating end users for messaging.