This is a continuing discussion about the article Making API requests on behalf of end users (Zendesk Support) in the developer documentation.
Making API requests on behalf of end users (Zendesk Support)
Hi,
I want to add comments on behalf of end users, according to docs I should just set up author_id
curl 'https://d3v-bb.zendesk.com/api/v2/requests/109.json' -X PUT -H 'Authorization: Bearer b86c8*********410' -H 'Content-Type: application/json' -d '{"request":{"comment":{"author_id":363284300813,"body":"My comment","uploads":[]}}}'but when I refresh the comments I see my (I am admin) user id as author_id. I've tried this article and I am able to add a coment with different author using the X-On-Behalf-Of header but there are two still two issues:
- it works only for end users with verified email address otherwise I got HTTP 403
- it works only on server side, in the browser (our application is not server side), CORS complains that X-On-Behalf-Of header is not allowed, and that's true, see Access-Control-Allow-Headers: Authorization,X-Requested-With,X-Prototype-Version,X-Zendesk-API,Content-Type,X-CSRF-Token
Please how to add comments on behalf of end users?
Thanks
Regards,
Vojtech
Hello Vojtech -- the behavior you're experiencing is correct.
Regarding impersonation...
When using the X-On-Behalf-Of header, you can only impersonate end users. More details are here:
Making API requests on behalf of end users
"impersonate" is one of the available scopes that a token may have but it only allows admins to impersonate end users:
"...allows Zendesk Support admins to make requests on behalf of end users"
Regarding troubleshooting CORS...
If you're using the Zendesk Apps framework, make the request using the framework's client.request method with cors:true setting. That keeps your request coming from the same domain and avoids CORS issues (assuming you're not crossing over to another Zendesk instance).
The reason the request works server-side and not client-side is because CORS is only a browser based convention. Server-side apps don't have a CORS-like concept, so don't have such constraints. The same would be true if you're making the call using cURL (not a browser, so no CORS constraints).
Post back for more detail or if you run into issues.
I am attempting to update a ticket via the Support Tickets API endpoint using a token, impersonating an end-user. The request works, but any placeholders I add do not work. For instance, the following JSON request body:
{
"ticket": {
"comment": {
"author_id": NNNNNNNNN,
"html_body": "<p>{{current_user.notes}}</p><p>{{comment.author.notes}}</p>{{comment.author.email}}<p></p><p>{{current_user.email}}</p>",
"public": false
}
}
}Does not fill the placeholders. It just adds the placeholder as plain-text, like so:
{{current_user.notes}}
{{comment.author.notes}}
{{comment.author.email}}
{{current_user.email}}If I replace the author ID with the ID of a user with role Agent or above, placeholders work fine.
It seems that end-users don't have permission to use placeholders. Is there any way for me to allow end-users to use placeholders?
For use-case, I have a Python-based local app that performs many automations for our Zendesk Support instance and places comments in tickets for any automatic actions taken. I want to use a "bot" end-user as the commenter for all of these comments for many important reasons (mostly metrics).
EDIT: Interestingly, the following placeholder does work
{{ "now" }}@Bryan Flynn Thanks for the quick reply!
I suspected this was the case. Do you know of any doc set I can view that will allow me to infer what placeholders a user might have access to? Possibly the Requests API?
I may just make a quick test that puts all available placeholders from the reference material in one comment, just to see what populates.
The closest I can offer is to find the corresponding API (such as the one in my previous comment) and see what restrictions it may have. In this API's case, it is restricted to agents. And in truth, end-user allowed API calls are very limited. You can search on "Allowed For" and "End Users" in the API documentation. For example, see this link: https://developer.zendesk.com/rest_api/docs/support/requests#list-requests
Hi,
I am trying to update a ticket comment on behalf of the end-user. I've added the impersonate scope to the OAuth access token and sending the following like request to **.zendesk.com/api/v2/tickets/*ticketId*.json
Headers:
Authorization: Bearer *OAuthAccessToken*,
"X-On-Behalf-Of": *end-userId*,
"Content-Type":"application/json", Body:
ticket: {
comment: {
html_body: this is a test message <br>,
public: true,
},
}This request is returning me HTTP 403 Forbidden every time I use an end-user id in the header but the impersonation works if I use an id of an agent or an admin. The document says "In Zendesk Support, an authenticated admin can make API requests on behalf of any end-user. The end user's email doesn't need to be verified". So what I am missing here?
I made a workaround by using an admin user id in the X-On-Behalf-Of header and then adding the end-user id as author_id in the request body. But this may have some implications, so it's not maybe the advice way of doing this.
Hey Santtu,
Everything looks good with your request except for one small piece in your header. Can you try changing your "on behalf" header so it's wrapped into one string?
"X-On-Behalf-Of: 203427634"
Have a wonderful day!
Eric Nelson | Manager - Developer Advocacy
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Hi Sam. As you discovered, there are limitations on what end users can pull. Usually these can be inferred by looking at the related API -- in the below case, user information. The documentation, for example, for GET /api/v2/users/{id}.json is limited to agents.
Since you're using a custom app, you could perhaps retrieve and cache that information through an agent authenticated call, then inline it into the subsequent call (versus using place holders). This doesn't avoid using an agent license as you mentioned, however.