Email in a JWT request


  • Greg Katechis
    Zendesk Developer Advocacy

    Hi Mikhail! This is something that I tested a long time ago and the answer is probably not what you're hoping for...using a placeholder email address will cause a problem, unless you can ensure that each placeholder email address is unique. I'll use these two scenarios as an example, #2 is the one specifically that will be relevant to you:

    Bob is in your account with the email and an external_id of 1001.
    Alice is in your account with the email, but no external ID.

    1. You send us a JWT payload with and an external_id of 1001. Because this email address is completely new to your account, this will succeed, and will be overwritten with
    2. You send us a JWT payload with and and external_id of 1001. Because this email address already exists in your account, this will fail. No changes will be made to Bob's user profile.
    3. You send us a JWT payload with and an external id of 1002. Because this does not match the pair, this will fail. It does not matter if this external ID exists already in your account or not. If you ever wanted to associate with a different external ID, you'd need to delete their entire user profile (or specifically delete the external ID with the REST API.)

    As such, if you used a single placeholder email address, every subsequent payload that you sent us would be rejected. I would definitely not recommend going the route of a unique placeholder email for each of your users, as you will then run into issues communicating with them. It would be best to discuss this with your legal team to determine what steps would allow you to be GDPR-compliant while using the customer's email. We can not advise on that topic at all.

  • Mikhail Nikitin

    Thank you!

    Would like to receive additional clarification regarding the information provided previously.

    Will user email addresses be used by Zendesk beyond the process of uniquely identifying a user? If so, could you please specify how exactly? To send email notifications or be relayed to some internal or external services for any kind of processing, maybe? Will GDPR-compliance be maintained in any such case?

    It would be preferable for us to identify users by external IDs instead of email addresses since in most cases MobileSDK is the channel used by our users to submit requests. I understand, however, that email address is required.

  • Greg Katechis
    Zendesk Developer Advocacy
    Hi Mikhail, apologies for missing this last time. 
    The email address is going to be used in a variety of ways depending on how you set up your instance. As you mentioned, one possibility would be sending email notifications and another option would be their login method. 
    With respect to anything related to GDPR, we can not make any comments regarding compliance outside of our public disclosure that you can find here. If you have additional questions regarding GDPR, you will want to speak with an appropriate legal or business entity.

Please sign in to leave a comment.

Powered by Zendesk