Recent searches


No recent searches

Can't get public_key.pem of my app



Posted Nov 09, 2023

curl https://{subdomain}.zendesk.com/api/v2/apps/{app_id}/public_key.pem -u {email}:{pass}

I have app_id

I can't understand which subdomain I must use and correspondingly which email and pass?

I have dev account, I tried dev subdomain and email and pass and I get 403 Forbiden

I'v tried subdomain of my client and my email and pass - still nothing

I'v tried email and pass from apps.zendesk.com - nothing

I just can't figure out which combination of subdomain and email should be used

Please help!


0

8

8 comments

Hi Sergii Kliuchnyk

I tried this and got the same issue via cURL. 

It did, however, work for me on POSTman. 

I used the subdomain that i uploaded the app to. 

I used the email from the account from which uploaded the app but appended the /token at the end. 

I also used an API token generated for myself as the password. 

GET {{my-staging-domain}}.zendesk.com/api/v2/apps/{app_id}//public_key.pem

Basic auth

Email: myemail@domain.com/token
Password: API_TOKEN_GENERATED_IN_ADMIN_SETTINGS

EDIT: Other Zendesk APIs work for me via cURL

1


Vj Gunawardana

Thanks a lot! It's worked.

0


great to hear Sergii Kliuchnyk - Hopefully the cURL gets fixed up for others. 

0


Vj Gunawardana try to add header "user-agent: chrome", I think Postman adds it by default

0


Awesome, thanks for that Sergii Kliuchnyk

0


I have managed to get this working using the method described above, but what I can't figure out is how I can get the public key dynamically for a subdomain that has purchased my app. In their case, I won't have email/token that can get the public key in their account.

Usually, public keys are not auth protected because they are, well, public.

What is the recommended solution here for app marketplace developers?

0


image avatar

Tipene Hughes

Zendesk Developer Advocacy

Hi Cam,
 
Just checking in here to see if you found a solution to your issue?

0


Hi Tipene,

 

I wouldn't describe it as a solution, more of a workaround. And not especially secure.

 

In my case I have a server side top bar app defined in the manifest, and I also have a background app as well.

 

So because the background app has access to Zaf, I determine the app id dynamically, construct a request to get the public key, and send it to my backend via a POST request with the public key and subdomain in the body. This effectively “onboards the organisation ” with an upsert operation in my database.

Then when my server side app is opened, and a JWT sent as part of the initial post request, I am able to verify it, create a session and away we go. 

 

But unfortunately this has some security concerns, and if I build future server side apps that don't require the background app, then I would have to add one anyway.

I'm hoping you can make another suggestion!

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post