API tokens: security and permissions? | Community
Skip to main content

API tokens: security and permissions?

  • December 17, 2019
  • 3 replies
  • 0 views
Chris34

I want to wrap my head around how API tokens permissions work. In our Support team (we have an Enterprise account), traditionally admins have created API tokens and then distributed them to agents. Looking at the interface today it occurred to me there isn't any setting that specifically ties an API token (that's generated by an admin) to the agent the token was given to. Which begs the questions:

  1. Can any agent use any API token if they possess it?
  2. What role permissions are the API tokens granted (e.g., if an admin creates them, do they have admin permissions?)
  3. Is there a way to create API tokens that are exclusively linked to a specific agent?

My personal agent account has only ever been an administrator so I'm unsure what the ZD interface looks like for non-admins and if a 'staff' agent can create an API token on their own.

I'd love it if someone can help guide me on those three questions above. Thanks!

    3 replies

    A
    • Anonymous
    • December 17, 2019

    Hello Chris,

    I think you already know the answers, but just need confirmation? :)

    Anyway, here they are:

    1. Yes
    2. The role of the user whose email address was used in the authorization.
    3. No

    With kind regards,

    Sebastiaan
    Sparkly ⭐

    Chris34
    • Chris34
    • Author
    • December 17, 2019

    Thanks Sebastiaan,

    Maybe we've been doing the API token thing wrong the whole time (?). The tokens we create (for API calls) are under Admin > Channels > API > Settings > Token Access > [ + ]. The only options are to add an "API Token Description", and nothing that would tie a token to the "role of the user whose email address was used in the authorization."

    Thanks again!

    Dan32
    • Dan32
    • December 17, 2019

    Hey Chris,

    Unfortunately, you're correct. There's nothing tying a token to a specific user, or to a set of permissions. Treat API keys like a universal password to whatever username is passed along with the key during login. 

    If you gave an agent a token, nothing stops that agent from changing the username they authenticate with to one of another user. When they do so, they log in as that user, along with associated permissions. Actions taken via the API will be attributed to the user that authenticated with the key.

    Example:

    You (an admin) give me (an agent) an API key. I want to delete a ticket for some reason, but that permission is set to require admin access in your Zendesk. Using the same API key, I change my username to your email and send the DELETE request. The request will process, as your account has permission. In the event logs, the deletion will be attributed to your user.

    In short, you probably don't want to give API tokens to users that you don't trust with administrative access to your instance. It would be very difficult to identify misuse, as the actions would be attributed to another user.

    A possible workaround would be having a user create a Basic Auth string to use, with their username and a password. This would let them access the API in a custom script (but perhaps not a prebuilt integration that is expecting an API key), but would be locked to their account and permission set. However, if you have a password expiry/rotation configured, this would need to be rotated as well. This is less than ideal, but probably better than giving out API keys.

     

    Terms & ConditionsCookie settingsAccessibility statement