Recent searches


No recent searches

Why does Requests API require an email address for authentication?



Posted Nov 19, 2024

We are using the “Create Request” method of the Requests API to create a new ticket from a custom form on our website.

When using an authenticated request, we are supposed to provide an email address along with the api_token in this format:

{email_address}/token:{api_token}

The API Token is “Not associated with a specific Zendesk user. However, you must provide an email address for an admin, agent, or other valid user when authenticating requests.”

What is the purpose of the requirement to specify an email address when authenticating?

I don't see much upside – it would be fairly easy for an outsider to guess the email address of some (any!) Zendesk user at the organization. And chances are that if an attacker somehow gets access to the API Token, they'll also have access to the email address.

The downside is that it introduces a failure mode whereby if that user is ever removed from Zendesk (e.g., they change roles or leave the company), it will require updating the email address used by any apps that are calling the API, or else they'll stop functioning. Deletion of a user from Zendesk (who in all likelihood has nothing to do with use of the API) should not have the possible side effect of breaking API access! (In fact, you specifically designed the API Token mechanism such that deleting the user who created an API token will not disable/delete that token – which is good – but then it's undermined by still tying API calls to a particular user.)

Introduction of this totally foreseeable and avoidable failure mode seems like an unforced error. It's a problem that's waiting to happen, and for little to no upside.


1

2

2 comments

image avatar

Greg Katechis

Zendesk Developer Advocacy

Hi Jonathan!

 

An API token is just a one of many authentication options that we have at Zendesk. If API tokens don't work for your needs, you should consider using an OAuth token instead. I would recommend reading this article to gather more information on the topic.

0


image avatar

Charles Nadeau

Zendesk Documentation Team

PS: API tokens are really just using the basic authentication method, which requires a base-64 encoded string containing a user name and password. One benefit of using API tokens as passwords over letting users choose their own is that they can be managed by an admin in Zendesk.

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post