Secure Settings for ZIS Connections and Webhooks | Community
Skip to main content

Secure Settings for ZIS Connections and Webhooks

  • December 26, 2025
  • 3 replies
  • 0 views
Lara15

Hi!

I'm working on a Zendesk App that when the user clicks on an “install” button, it will install a ZIS bundle and create a webhook.

The installation process is:
 * Go to Admin Center
 * Add a private app

 * Add the corresponding configuration: secure settings for two api tokens provided by the customer
 * Click install
 * Go to Support view

 * Open the app

 * Click on install (this step is the one installing the zis bundle and the webhook)

 

By using OAuth with the Zendesk account I'm able to do this without any problem and /or compromising any credentials.

 

My problem:

I need to pass the secure setting token, mentioned in one of the installation steps, create a ZIS connection to be able to use it when installing the bundle and also include it in the authentication data to create the webhook. Like this:

ZIS:

const Conn = {
            name: "abcd_connection",
            type: "api_key",
            api_key: settings.api_token,
            header_name: "X-Api-Key",
            allowed_domain: new URL(backendURL).host
          };
async function ensureApiKeyConnection(client, INTEGRATION, Conn) {
        await step("Creating ABCD Connection", async () => {
          await client.request({
            url: `/api/services/zis/integrations/${INTEGRATION}/connections/api_key`,
            type: "POST",
            contentType: "application/json",
            data: JSON.stringify(Conn),
          });
        }, { softFail: true });


        await step("Updating ABCD connection", async () => {
          await client.request({
            url: `/api/services/zis/integrations/${INTEGRATION}/connections/api_key/abcd_connection`,
            type: "PATCH",
            contentType: "application/json",
            data: JSON.stringify(Conn),
          });
        }, { softFail: true });
      }



Webhook:

const desired = {
          name,
          endpoint,
          http_method: "POST",
          request_format: "json",
          status: "active",
          authentication: {
            type: "api_key",
            add_position: "header",
            data: {
              name: "X-Api-Key",
              value: String(settings.api_token || "")
            }
          },
          subscriptions: EVENT_SUBSCRIPTIONS
        };
const createResp = await client.request({
            url: `/api/v2/webhooks`,
            type: "POST",
            contentType: "application/json",
            data: JSON.stringify({ webhook: desired })
          });

As you can see, I'm not setting up ‘secure = True’ in each api call because based on this document:
https://developer.zendesk.com/documentation/apps/app-developer-guide/making-api-requests-from-a-zendesk-app/#secure-setting-limitations
you cannot use secure settings to make Zendesk API calls. So my question is: Is there any other way to use Secure Settings in these two cases? How can I having this api_token use it to create a ZIS connection and to use it as the authentication setting for the webhook? This setting is something I'd like to include in these configurations, not to call a zendesk api per se.

(FYI, I can't not making it secure as it is a must for the app to be approved and uploaded to the Zendesk Marketplace.)

Thanks!!!

    3 replies

    C
    Hi Lara,
     
    Because of the secure setting limitation, it may be simpler to use one of two approaches:
     
    • Send the submitted config details to middleware that then performs the ZIS connection and webhook setup.
    • Rather than capturing the token values in the ZAF app install itself, set up a config page within a server-side app for the user to supply the tokens.  That way they are submitted directly to your server.
     
     
    Ahmed11
    • Ahmed11
    • January 2, 2026

    Hi Lara,

    Adding to Christopher's suggestions, if you are using the API token in app setting solely to store it in a ZIS connection, it would be simpler to not store it as app setting at all. Simply prompt the user to enter it in an input before clicking install and directly supply it to the ZIS Connection object.

    You will have to tweak the UI a little but you save yourself the need to pivot to server-side app or create a middleware.

    This assumes that whoever installs the app will also configure it and click on the ZIS install button, which is likely since only Admins can install a ZIS bundle

    Lara15
    • Lara15
    • Author
    • January 7, 2026

    Thank you so much! I really appreciate it! 

    Terms & ConditionsCookie settingsAccessibility statement