Jared Fowkes

I ended up using IP authentication using the IPs listed in the API endpoint listed below.
https://developer.zendesk.com/api-reference/ticketing/account-configuration/public_ips/

This is not ideal but seems to be a reasonable solution.

I'm working on a ticket sidebar app that gets data from our self-hosted API endpoints.  Is there a way to verify that the data requested is from one of our ZenDesk users?

I see that requests have JWT tokens in the X-Zendesk-AuthN header, but there's no documentation on how to validate them.

There is an option for signed URLs.  However, this only applies to the initial connection and not to calls made from the app itself.

What is best practice here?  ZenDesk is providing a lot of great information in their requests, but there's no great way to validate it.

I'm told by support that all API calls must impersonate a user.  However, many of our API calls are automatic and shouldn't be related to a user.

The issue that we ran into was that we were using an API update to trigger email notifications.  However, the emails are sent using the name of the user the API is impersonating.

I believe the easiest solution is for the Dev team to create an anonymous or system user.  So that APIs can impersonate system and thus operate as an unnamed user – much the same way that internal ZenDesk calls are managed now.