Zendesk is sunsetting API tokens as an authentication method for Support API requests, replacing them entirely with OAuth by April 30, 2027. The deprecation unfolds across three phases: starting July 28, 2026, unused tokens (inactive for 30+ days) will auto-deactivate, with permanently deleted tokens after 60 days of deactivation; from October 27, 2026, no new tokens can be created; and by April 30, 2027, all remaining tokens cease functioning with no reactivation possible. This is not a gradual transition—it is a hard cutoff with no extensions or opt-outs. The decision stems from fundamental security gaps in API tokens: they lack rotation mechanisms, granular permission scoping, and expiration dates, meaning a compromised token can grant indefinite, full-account access to attackers. OAuth, by contrast, provides automatic expiration, credential rotation, and precise permission boundaries—capabilities that cannot be retrofitted into the existing token architecture without essentially rebuilding them as OAuth under a different name.
For CX teams, the operational implications are substantial and immediate. Any workflow relying on API tokens—custom automation scripts, third-party integrations, webhook-based ticket updates, or middleware systems—will fail silently on April 30, 2027 unless migrated to OAuth beforehand. Teams running infrequent integrations (monthly or quarterly processes) face particular risk: tokens unused for 30 days auto-deactivate starting July 28, 2026, meaning workflows will break on their next execution unless proactively reactivated or migrated. The migration window is 10 months, but this assumes teams have already audited their token usage and identified which integrations depend on them—a task many organisations have likely deferred. For teams with custom integrations built by external developers or contractors, the challenge compounds: if those developers are no longer available or unwilling to migrate, you must either rebuild the integration or find alternatives. Zendesk's new usage reporting tools (available from July 28) will help identify which tokens are active, but only after the fact; teams should audit their tokens immediately to understand their exposure.
The broader strategic question for CX leaders is whether this deprecation signals a shift in how Zendesk prioritises security over backwards compatibility. By removing the less secure option entirely rather than allowing both methods to coexist, Zendesk forces all customers onto the more secure path—a decisive stance that eliminates the temptation to choose convenience over security. However, this also means teams with legacy systems, outsourced integrations, or limited technical resources face genuine operational risk if they miss the deadline. The 10-month grace period is generous on paper but compressed in practice for organisations with complex integration ecosystems. Teams should treat the July 23 notification email as a hard trigger to begin auditing and prioritising migration efforts, particularly for mission-critical workflows that cannot tolerate downtime.
Announced on Rollout starts Rollout ends June 1, 2026 July 28, 2026 April 30, 2027 Zendesk is removing API tokens as an authentication method. Starting July 28, 2026, unused tokens will automatically deactivate. By April 30, 2027, all API tokens will stop working. You must migrate your integrations
Announced on Rollout starts Rollout ends June 1, 2026 July 28, 2026 April 30, 2027 Zendesk is removing API tokens as an authentication method. Starting July 28, 2026, unused tokens will automatically deactivate. By April 30, 2027, all API tokens will stop working. You must migrate your integrations