We would be very grateful for non-expiring API tokens either scoped to the permissions of a specific user or with a configurable scope (e.g., read or write). This would fill in the new gap created by recently announced changes requiring OAuth tokens to expire while improving the security of API tokens.
Additional context: we like to enable some of our non-admin agents to make their own requests to the Zendesk API. This allows them to create notification scripts for their own use, extract ticket and article data for analysis, and so on.
There are currently two primary methods for authenticating API requests: API tokens and OAuth tokens.
- API tokens: API tokens do not expire. However, they are not secure for non-admin agents to use, because the scope of the request is based on the email address supplied in the request. Consequently, anyone can use an admin's email address with an API token to gain admin-level API access. There is more discussion on this issue in the post Zendesk APIs - Token Security.
- OAuth tokens: OAuth tokens provide scoped, user-specific access to the Zendesk API. This is exactly what we need, and our users have been happily using non-expiring OAuth tokens in their own scripts. However, all OAuth tokens will begin expiring soon, with an original deadline of April 30, 2026 that was recently extended to April 1, 2027.
Because of the email-based scoping described above, we cannot safely give our non-admin agents API tokens. Scoped API tokens would address this security concern.
We can also no longer rely on OAuth tokens without building out an application to manage and refresh tokens. We understand how requiring OAuth tokens to expire improves security for typical integrations. However, it turns our lightweight, self-service scripts into a full-blown IT-managed application requiring central infrastructure, maintenance/support, monitoring, persistent storage, and so on.
