Zendesk has announced a critical update regarding platform security: API tokens are being completely removed as an authentication method for all API requests. All custom integrations, automation scripts, and webhooks currently leveraging API tokens must be migrated to OAuth before the deadlines to prevent a total service disruption.
| Key Date | What happens? |
|---|---|
| July 28, 2026 | Phase 1: Unused tokens (30+ days) auto-deactivate. New accounts blocked from token creation. |
| October 27, 2026 | Phase 2: New token creation blocked entirely for all accounts via UI and API. |
| April 30, 2027 | Phase 3: Final Deadline. ALL API tokens stop working permanently. |
1. The Three-Phase Deprecation Timeline
Zendesk is rolling out this change in three distinct phases to give organizations sufficient time to audit and refactor their codebases:
- Phase 1 (Starting July 28, 2026) – Automatic Clean-up & Deactivation: Zendesk will run a one-time sweep. Any token that has been unused for 30 days or more will be deactivated. If a deactivated token remains unused for an additional 60 days, it will be permanently deleted. Furthermore, newly created Zendesk accounts from this date onward will be blocked from creating or using API tokens entirely.
- Phase 2 (Starting October 27, 2026) – Block New Token Creation: Accounts will no longer be permitted to generate new API tokens through either the Admin Center UI or the API. Existing active tokens will remain operational until the final EOL date in 2027.
- Phase 3 (Effective April 30, 2027) – Forced EOL Deactivation: The final deadline. All remaining active API tokens will stop working permanently. The token management interface will be entirely removed from the Admin Center, and any API requests made using token authentication will fail with a 401 Unauthorized error.
2. Why is Zendesk making this change?
API tokens were initially designed for convenience, not for modern, hardened security architecture. They lack fundamental defensive controls, creating substantial organizational risks:
- No granular scoping (all-or-nothing access): An API token provides unrestricted access. It can impersonate any high-level user (including administrators) and cannot be restricted to specific endpoints or read-only actions.
- No expiration parameters: Active tokens remain valid indefinitely. If credentials are leaked via exposed code repositories or compromised local machines, malicious actors gain persistent access until manual revocation occurs.
- No rotation protocols: There is no native mechanism to securely cycle or rotate tokens without manually breaking and updating every active workflow simultaneously.
Transitioning to OAuth aligns Zendesk with industry-standard authentication methods. OAuth utilizes short-lived access tokens that automatically expire, supports granular permission scoping, and allows for automated credential rotation without causing unexpected workflow downtime.
3. Required Action Plan
To avoid severe integration failures, administrators and developers should execute the following steps:
- Audit current token inventory: Navigate to Admin Center > Apps and integrations > APIs > API tokens and check the "Last used" metrics to pinpoint active endpoints.
- Identify at-risk workflows: Isolate where these tokens live. Common dependencies include automated sync scripts, webhooks updating tickets within your own instance, and middleware built by external vendors or contractors.
- Utilize rolling usage reports: Starting July 28, 2026, Zendesk will provide a 7-day API Usage Report directly within the UI. Generate this report regularly to map client user-agents and source IP addresses back to your specific tokens.
-
Refactor integrations to OAuth: Create an OAuth client in the Zendesk Admin Center, reconfigure your code to request temporary access tokens via supported grant types (e.g.,
client_credentialsorauthorization_code), and test the authentication flows.
4. Frequently Asked Questions (FAQ)
Which specific APIs are affected by this deprecation?
This change applies strictly to core Zendesk Support APIs, which include the Ticketing API, Help Center API (Guide), and Voice API. API tokens used for Messaging, Chat, or other independent Zendesk solutions are not governed by this specific timeline.
Will webhooks using API tokens break after the EOL date?
Yes. Utilizing a core Zendesk API token within webhooks to modify internal tickets or data structures will no longer be supported and will fail. Zendesk plans to release updated technical guidance regarding secure webhook authentication models shortly.
What happens if an automated script only runs once every quarter?
Because the token will sit idle for more than 30 days, it will automatically deactivate between runs, causing your script to fail upon its next execution. For low-frequency workflows, you must either manually reactivate the token within its 60-day grace period or migrate the script to use OAuth tokens directly.
What should we do if a third-party Marketplace app requires an API token?
Under Zendesk developer policies, third-party apps are prohibited from leveraging a customer's private API tokens. If you rely on an integration or app that still mandates an API token, contact the developer immediately to request an update to OAuth. Apps that fail to transition will break when tokens are disabled.
Looking for Zendesk's official announcement?
You can review the full developer deprecation documentation here:
Zendesk: Announcing the removal of API tokens as an authentication method
Do you have custom integrations that need to be rewritten for OAuth?
Migrating authentication structures requires technical foresight. SoftwareOne can help audit your current API footprints, analyze usage logs, and update your webhooks and scripts to adhere to secure OAuth protocols.