POST /oauth/tokens

Returns an OAuth access token in exchange for one of the following:

an authorization code
a refresh token
a client secret

Note: The password grant type flow, which used a Zendesk username and password to get an access token, has been deprecated and is highly discouraged.

To revoke an access token, see Revoke Token.

Request parameters

The POST request takes the following parameters, which must be formatted as JSON:

Name	Description
grant_type	"authorization_code", "refresh_token", or "client_credentials"
code	Authorization grant flow only. The authorization code you received from Zendesk after the user granted access. The code is valid for only 120 seconds. See Handle the user's authorization decision in Zendesk help
client_id	The Identifier value specified in an OAuth client in the Zendesk Admin Center (Apps and integrations > APIs > OAuth clients). See Registering your application with Zendesk
client_secret	The Secret value specified in an OAuth client in the Admin Center (Apps and integrations > APIs > OAuth clients). See Registering your application with Zendesk
redirect_uri	Authorization grant flow only. The redirect URL you specified when you sent the user to the Zendesk authorization page. For ID purposes only. See Send the user to the Zendesk authorization page
scope	Valid scope for this token. A string of space-separated values. See Scope below
expires_in	Number of seconds the access token is valid. Must be more than 300 seconds (5 minutes) and less than 172,800 seconds (2 days), or less than `refresh_token_expires_in`, whichever is the shorter. Defaults to null
refresh_token_expires_in	Number of seconds the refresh token is valid. Must be more than 604,800 seconds (7 days) or `expires_in` (if given), and less than 7,776,000 seconds (90 days). Defaults to 2,592,000 seconds (30 days)
refresh_token	A valid refresh token. See Replacing expired access tokens

Authorization code example

const tokenResponse = await axios.post(
  `https://${ZENDESK_SUBDOMAIN}.zendesk.com/oauth/tokens`,
  {
    grant_type: "authorization_code",
    code: AUTHORIZATION_CODE,
    client_id: ZENDESK_CLIENT_ID,
    redirect_uri: REDIRECT_URI_PKCE,
    scope: "read write",
    code_verifier: CODE_VERIFIER,
    expires_in: 86400,
    refresh_token_expires_in: 604800,
  },
  { headers: { "Content-Type": "application/json" } }
);

Refresh token example

const tokenResponse = await axios.post(
  `https://${ZENDESK_SUBDOMAIN}.zendesk.com/oauth/tokens`,
  {
    grant_type: "refresh_token",
    refresh_token: REFRESH_TOKEN,
    client_id: ZENDESK_CLIENT_ID,
    client_secret: ZENDESK_CLIENT_SECRET,
    scope: "tickets:write",
    expires_in: 86400,
    refresh_token_expires_in: 604800,
  },
  { headers: { "Content-Type": "application/json" } }
);

Client credentials example

const tokenResponse = await axios.post(
  `https://${ZENDESK_SUBDOMAIN}zendesk.com/oauth/tokens`,
  {
    grant_type: "client_credentials",
    client_id: ZENDESK_CLIENT_ID,
    client_secret: ZENDESK_CLIENT_SECRET,
    scope: "tickets:write",
    expires_in: 86400
  },
  { headers: { "Content-Type": "application/json" } }
);

Scope

You must specify a scope to control the app's access to Zendesk resources. The "read" scope gives access to GET endpoints. It includes permission to sideload related resources. The "write" scope gives access to POST, PUT, and DELETE endpoints for creating, updating, and deleting resources.

Note: Don't confuse the scope parameter (singular) with the scopes parameter (plural) for non-grant-type tokens described in OAuth Tokens.

The "impersonate" scope allows a Zendesk admin to make requests on behalf of end users. See Making API requests on behalf of end users.

For example, the following parameter gives read access to all resources:

"scope": "read"

The following parameter gives read and write access to all resources:

"scope": "read write"

You can fine-tune the scope of the following resources:

tickets
users
audit logs (read only)
organizations
help center resources
apps
triggers
automations
targets
webhooks

The syntax is as follows:

"scope": "resource:scope"

For example, the following parameter restricts the scope to only reading tickets:

"scope": "tickets:read"

To give read and write access to a resource, specify both scopes:

"scope": "users:read users:write"

To give write access only to one resource, such as organizations, and read access to everything else:

"scope": "organizations:write read"

Note: The endpoint returns an access token even if you specify an invalid scope such as "scope": ["read", "write"] (no parentheses). Any request you make with the token will return a "Forbidden" error.

Tokens for Implicit Grant Type

The implicit grant flow has been deprecated. It's considered insecure and its use is highly discouraged.

Servers

https://{subdomain}.{domain}.com

How to start integrating

Add HTTP Task to your workflow definition.
Search for the API you want to integrate with and click on the name.
- This loads the API reference documentation and prepares the Http request settings.
Click Test request to test run your request to the API and see the API's response.