Developer update: Enhanced security guidelines for third-party apps, integrations, and bots

Announced on	Rollout complete
August 12, 2025	August 12, 2025

Zendesk has updated the policies that guide development of public applications, integrations, and bots on our APIs, leveraging modern API security technology and enforcing sensible, consistent patterns. These new policies are designed to prioritize data security and privacy without compromising the flexibility developers expect.

These changes are aimed at giving customers more confidence in the applications and integrations built on Zendesk’s platform. It will increase their visibility into who is accessing their data, and give Zendesk greater ability to protect that data from misuse.

This announcement includes the following topics:

What's changing?
Why is Zendesk making this change?
What do I need to do?
What is coming?

What's changing?

All apps and integrations built for distribution to multiple Zendesk customers must be submitted to the Zendesk Marketplace for review and approval. Learn about publishing bots, apps, and themes on the Zendesk Marketplace.
All apps, integrations and bots must follow the new standards and guidelines. This does not apply to private apps built by customers for their own internal use.
- Public apps are built on the Zendesk App framework. If your public ZAF app needs to make server side calls to the Zendesk APIs, it’s required to use a global OAuth client and include custom headers. Preview apps that are built for multiple Zendesk customers must follow the same guidelines.
- Integration apps (also known as Marketing-only apps) are required to use a global OAuth client and each API call must include custom headers that specify the name of the integration, the organization ID, and the Marketplace app ID.
  - Zendesk will be releasing a new page in Admin Center where customers can view and manage integrations that are using global OAuth access tokens.
  - Supporting the refresh token flow will be required for all global OAuth clients starting January 31, 2026.
- Bots are built following the Marketplace bot guidelines.
It is not permissible for any third-party app, integration or bot (whether it’s listed on the Zendesk Marketplace or not) to use a customer’s API credentials (API token or a customer’s own OAuth client) to authenticate API calls.
You’re required to conform to rules about handling customer data, ensuring it is not misused or exposed to undue risk. We are introducing new limitations on how you can use customer data as outlined in the Zendesk Developer Terms.

Why is Zendesk making this change?

The security of our APIs and the applications and integrations built on them is more important than ever. As threats like data exfiltration continue to rise year over year, our customers need confidence that their data is protected. Ensuring that all Marketplace applications, integrations and bots follow security best practices—including strong authentication, secure development, and data protection—and undergo formal review by Zendesk is key to maintaining that trust. You can read more in our blog post.

What do I need to do?

You can start making any necessary changes to your existing app, integration, or bot, today. When you’re ready, you will submit your app (or your bot) for Zendesk Marketplace review and approval. If you currently use API tokens or basic authentication with your integration to authenticate with Zendesk APIs, you will need to update your authentication method to use OAuth. Once the change is completed, you will need to submit an update to your existing listing in the Marketplace.

Zendesk will also be reaching out to third-party app developers with details and time frames for adopting the new standards and guidelines for your existing apps and integrations.

If you haven’t listed your integration on the Zendesk Marketplace, you need to create your Zendesk Marketplace profile, register your organization and submit your app for review and approval.

To ensure a smooth transition for customers when rolling out the change to using OAuth, you can either:

Perform a hard cutover. Your customers will all be impacted at the same time and will be required to re-authorize their app or integration. You want to communicate this change to impacted customers in advance to minimize impact.
Perform a soft cutover and allow your customers to continue to authenticate their calls with the existing authorization implementation until they re-authorize the integration with OAuth.

Starting today, new submissions to the Zendesk Marketplace will be reviewed and approved based on the new standards and guidelines.

What's coming?

Zendesk will continue to modernize and improve the security of our APIs and associated apps, integrations, and bots over time, with better observability and control over the traffic that comes to and from the apps and integrations that customers enable.