| Previously announced on | Removal on |
| July 31, 2024 | December 31, 2025 |
As previously announced, Zendesk will stop accepting email and password as an authentication method for API requests on December 31, 2025, for all customers. If you are actively using this method today, you must switch to using API tokens or OAuth before December 31, 2025 to avoid any impact due to this removal.
This article contains the following topics:
Why is Zendesk making this change?
Your account security is our top priority. The ability to authenticate API requests with an email and password is inherently insecure as passwords can be compromised and reused, and this method no longer aligns with modern best practices for API authentication. Removing the ability to use the same email and password for API access mitigates the risk of unauthorized access and changes to your account in case your credentials are compromised.
Are any alternatives available?
Yes. The simplest alternative is using an API token. You just need to update your request to use the following format:
{email_address}/token:{api_token}
Each API token can be used by any verified user on the account and isn't associated with a specific user. Permissions are limited by the user role associated with the provided email address. Learn more about managing API token access.
Zendesk also supports OAuth authorization flows. OAuth provides a secure way for your application to access Zendesk data. To use OAuth authentication, you need to register your application with Zendesk. You also need to add some functionality to your application to support the OAuth authorization flow. Learn about using OAuth with your application and working with OAuth.
Learn more about Understanding the differences between API tokens and OAuth access tokens.
What do I need to do?
If you currently have the Password Access for APIs setting turned on but are not using the capability, you can safely turn the setting off. You can find it in Admin Center under Apps and Integrations > APIs > Zendesk API > Settings > Password access. After it's turned off, the setting will be removed from the page.
Using API Tokens
Using API tokens is the simplest alternative, and in most cases, the person associated with the email address being used for API authentication should simply be able to replace the password with a token in their application by doing the following:
- In Admin Center, click Apps and integrations in the sidebar, then select APIs > Zendesk API > Settings.
- Turn on Token access if it's not already turned on, then click Add API token.
-
Click Copy to copy the API token.
- Navigate to your application.
- Replace the password with the API token by using the following format:
{email_address}/token:{api_token} - After your applications have been updated, return to Admin Center > Apps and Integrations > APIs > Zendesk API > Settings and turn off Password access.
Using OAuth access tokens
You can authenticate API requests by using an OAuth access token as a Bearer token in the request’s Authorization header. Learn more about working with OAuth. If your application requires users to grant access to your application, you can implement the OAuth authorization code grant flow.
If you have feedback or questions related to this announcement, visit our community forum where we collect and manage customer product feedback. For general assistance with your Zendesk products, contact Zendesk Customer Support.
0 comments