Currently, the API token can be used to impersonate anyone in the account. This gives the API token great flexibility, but also carries with it a lot of risk.
To give an admin more complete control of the functions available to an external app or service that authenticates via an API token, the API token manager should allow admins to limit token access by Product as well as Scope.
This would mean, when creating a token, an admin could create one for managing Guide articles:
- Product: Guide, Scope: Read / Write
And another for reading off a list of current macros in Support:
- Product: Support, Scope: Read Only
Finally, under this scheme, it would be useful if a token could be configured to multiple products, with a specific scope per product. For example, suppose an admin wanted to create an integration that allowed her to grab some common FAQs in Guide and turn them into macros. The API token for this integration would be scoped thus:
- Product: Guide, Scope: Read Only; Product: Support, Scope: Read / Write
This type of configuration ability could be really helpful in guaranteeing that some applications, for example, can be used to manage Guide articles, or Chat conversations, but can't dip into the Support data and read off customer information or ticket details.
This would be really helpful for providing an additional layer of security for Zendesk admins with regard to API integrations.
Please sign in to leave a comment.