Announcing enhanced security guidelines for third-party apps, integrations, and bots

Announced on	Rollout complete
August 12, 2025	August 12, 2025

Zendesk has updated the policies that guide development of public applications and integrations on our APIs, leveraging modern API security technology and enforcing sensible, consistent patterns. These new policies are designed to prioritize data security and privacy without compromising the flexibility developers expect.

These changes are aimed at giving you more confidence in the applications and integrations built on Zendesk’s platform. It will increase your visibility into who is accessing your data, and give Zendesk greater ability to protect that data from misuse.

This announcement includes the following topics:

What's changing?
Why is Zendesk making this change?
What do I need to do?
What is coming?

What's changing?

Our updated Zendesk Developer Terms and Developer Documentation provide the full details, but key highlights are included below. These changes do not apply to customers developing applications for internal use, only to entities developing applications built for distribution to multiple Zendesk customers — third-party app developers.

App submission requirement
All apps and integrations built for distribution to multiple Zendesk customers must now be submitted to the Marketplace for review and approval, giving you added confidence that applications are safe and follow security guidelines.

Global OAuth Tokens
Third-party developers are required to use a global OAuth client to authenticate any calls to Zendesk. It is not permissible to use a customer’s credentials (i.e. an API token or a customer’s own OAuth client) to authenticate their external application.

API Headers
Every API call made by an app developer must include request headers identifying its source (an app id, name, and an organization id). This improves transparency, brings greater observability, and helps protect against anomalous or malicious activity.

New guidelines on usage and storage
Third-party app developers will be required to conform to rules about handling customer data, ensuring it is not misused or exposed to undue risk. We are introducing new limitations on how developers can use customer data. For more details, see the announcement in our Developer updates.

Why is Zendesk making this change?

The security of our APIs and the applications and integrations built on them is more important than ever. As threats like data exfiltration continue to rise year over year, our customers need confidence that their data is protected. Ensuring that all marketplace applications and integrations follow security best practices—including strong authentication, secure development, and data protection—and undergo formal review by Zendesk is key to maintaining that trust.

We’ve talked quite a bit more about this in our blog post on the topic.

What do I need to do?

If you’re a Zendesk customer, you don’t need to do anything. If you’ve built private integrations or customizations on your own account, those will continue to work as expected, and the new rules don’t apply. In the future, we will introduce more changes that will affect some private, custom development as well.

If you use a public marketplace app or integration or have adopted something built by a third-party developer that does not conform to new our authentication policies, you will need to re-authorize your integration once the developer makes the appropriate changes. If an integration changes authentication methods to conform to the new rules, you will need to authorize the app to act on your behalf using OAuth. The developer of the integration will be able to give you the best information.

If you are a third-party app developer, we will be reaching out to you with details and time frames for adopting the new standards.

What is coming?

Zendesk will continue to modernize and improve the security of our APIs and associated apps/integrations over time with better observability and control over the traffic that comes to/from the apps/integrations your account enables. We will be launching a new dashboard specifically to view global OAuth access tokens, and more security improvements to protect your account from unauthorized or malicious access.