API Authentication
Learn how to authenticate with the DZDESK API.
Overview
The DZDESK API uses secure authentication to protect your data. Two authentication methods are supported:
- API Keys: For server-to-server integrations
- OAuth 2.0: For user-context operations
API Keys
Creating an API Key
- Navigate to Settings > API
- Click Generate API Key
- Enter:
- Key name (for identification)
- Permissions scope
- Expiration (optional)
- Click Create
- Copy the key immediately (shown only once)
Using API Keys
Include the API key in request headers:
curl -X GET "https://api.dzdesk.com/v1/requests" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json"
Key Permissions
| Scope | Access |
|---|---|
requests:read | Read requests |
requests:write | Create/update requests |
users:read | Read user data |
users:write | Manage users |
admin | Full access |
Key Best Practices
- Minimum permissions: Only grant needed scopes
- Rotate regularly: Change keys periodically
- Secure storage: Never commit keys to code
- Monitor usage: Review API logs
OAuth 2.0
When to Use OAuth
Use OAuth when:
- Acting on behalf of a user
- Building user-facing integrations
- Need user-level permissions
OAuth Flow
1. Redirect user to authorization URL
2. User approves access
3. Receive authorization code
4. Exchange code for access token
5. Use token for API requests
Authorization URL
https://api.dzdesk.com/oauth/authorize?
client_id=YOUR_CLIENT_ID&
redirect_uri=YOUR_REDIRECT_URI&
response_type=code&
scope=requests:read requests:write
Token Exchange
curl -X POST "https://api.dzdesk.com/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "code=AUTHORIZATION_CODE" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "redirect_uri=YOUR_REDIRECT_URI"
Token Response
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "dGhpcyBpcyBhIHJlZnJlc2..."
}
Refreshing Tokens
curl -X POST "https://api.dzdesk.com/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token" \
-d "refresh_token=YOUR_REFRESH_TOKEN" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET"
API Base URL
All API requests use:
https://api.dzdesk.com/v1/
Request Headers
Required headers for all requests:
| Header | Value |
|---|---|
Authorization | Bearer YOUR_TOKEN |
Content-Type | application/json |
Accept | application/json |
Response Format
Success Response
{
"success": true,
"data": {
// Response data
}
}
Error Response
{
"success": false,
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid or expired token"
}
}
Error Codes
| Code | HTTP Status | Description |
|---|---|---|
UNAUTHORIZED | 401 | Invalid or missing token |
FORBIDDEN | 403 | Insufficient permissions |
NOT_FOUND | 404 | Resource not found |
RATE_LIMITED | 429 | Too many requests |
SERVER_ERROR | 500 | Internal server error |
Rate Limits
API requests are rate limited:
| Plan | Limit |
|---|---|
| Standard | 60 requests/minute |
| Professional | 300 requests/minute |
| Enterprise | Custom |
Rate Limit Headers
Responses include:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1642694400
Handling Rate Limits
When rate limited (HTTP 429):
- Wait until reset time
- Implement exponential backoff
- Consider caching responses
Security Requirements
HTTPS Only
All API requests must use HTTPS.
Token Security
- Never share tokens
- Don't log tokens
- Use environment variables
- Rotate compromised tokens
IP Allowlisting (Optional)
Restrict API access by IP:
- Go to Settings > API
- Add allowed IP addresses
- Only listed IPs can access
Testing Authentication
Verify Token
curl -X GET "https://api.dzdesk.com/v1/me" \
-H "Authorization: Bearer YOUR_TOKEN"
Expected Response
{
"success": true,
"data": {
"id": "user_123",
"email": "user@company.com",
"role": "agent",
"scopes": ["requests:read", "requests:write"]
}
}
Related Topics
- Requests API - Request endpoints
- Users API - User endpoints
- Webhooks - Event notifications