Hello! I am following the oAuth instructions on this page: https://developer.zendesk.com/documentation/ticketing/working-with-oauth/creating-and-using-oauth-tokens-with-the-api/
I want to clarify some things, would appreciate any insight!
We have agents and light agents using our app (same email registered with Zendesk as our app), and our goal is to:
- Allow agents to create tickets, setting requester and an external user (so we send name and email address)
- Allow light agents to see the ticket number and click through to go to Zendesk. Light agents should be denied when attempting to create a ticket.
- Do this silently, ie not request the user to grant permission
My questions are:
1. As the oAuth token doesn't expire, would I even need to generate this every request on our backend? Can't I just do it once and store the token in a param store to pull when needed?
2. If I create an access token, I have to explicitly set the scopes. But I don't want light agents to be able to create tickets - how can I check this and deny them on our backend?
3. Since our users all have emails associates to their Zendesk account, would you recommed using email/API token authentication? Or is using oAuth as per step 1 the better option.
Thank you!
Light agents can actually create tickets in certain circumstances. So regardless of your auth method, your app will need to determine the user's role in Zendesk before presenting the option to create a ticket. Using API token auth gives you the opportunity to do so with the Show Self endpoint.