Elevating API security to keep pace with AI innovation

Today, Zendesk announced enhancements to how third-party software developers are permitted to build apps and integrations with Zendesk, consistent with our long history of creating a robust, secure platform for our customers. In this post, we explain the reasoning behind these updates, what is changing, and what Zendesk customers and developers can expect to see from the Zendesk Marketplace.

As AI systems proliferate and become more advanced, the volume of data flowing through APIs is growing at an unprecedented pace. With so many companies building and implementing AI, the challenge of understanding and protecting against new categories of risk is growing more complex. In a future where autonomous systems interact directly with each other to move and transform large stores of data, appropriate governance for APIs and integrations will be critical to secure that data.

And now, to take a step forward and further protect our customers, Zendesk is requiring third-party developers to begin using application-specific authorization credentials; to practice improved hygiene and transparency in API calls; to complete enhanced Zendesk security reviews; and to comply with customer protective data handling principles.

Customers building internal applications for their own use will not be impacted by these changes, however third-party developers will need to meet the new standards.

What are the risks?

As JP Morgan’s CISO Patrick Opet recently explained in an open letter, we stand at a critical juncture and security must be prioritized to protect the cloud software supply chain. Companies of all shapes and sizes are building AI software, and new types of threats are emerging as the intrinsic value of data increases.

• 41% of surveyed organizations have reported at least one AI-related privacy or security incident, including data leakage, training data theft, or unauthorized manipulation of AI models.
• 87% of companies experienced AI-assisted attacks in the past year, including highly targeted phishing, voice spoofing, and malicious code generated using generative AI tools.
• Basic web application attacks rose from 9% to 12% of breaches analyzed in 2025, with 88% of those instances due to stolen credentials.

Why focus on APIs?

Zendesk’s open API ecosystem is a powerful enabler. It offers customers and third-party developers the flexibility to build integrations and customize our product to their needs. This openness fuels innovation and enhances the Zendesk experience across industries.

When implemented improperly, APIs represent a risk as well. Without strong security controls, APIs become gateways to sensitive data and internal configurations, increasing the threat of unauthorized access. APIs are faster and easier to automate than user interfaces, exposing more data in a shorter time frame. And with the rise in AI driven coding, more people than ever can try to gain access this way.

At Zendesk, safeguarding our APIs is a top priority. We already employ rigorous security measures, including pen testing, advanced API security tooling, responsible disclosure programs, and continuous traffic monitoring, and to meet evolving compliance requirements, we already pursue and maintain global certifications, product reviews, and invest in ongoing education.

Additionally, Zendesk’s app ecosystem goes through a review ensuring third-party apps in our marketplace can be trusted. These integrations take advantage of Zendesk’s access controls, authentication, and identity framework. They are also subject to logging that offers transparency about who is accessing data, when, from where, and for what purpose. These are all necessary for managing secure APIs.

What more are we doing to help?

Zendesk has updated the policies that govern how third-party apps and integrations are built on our APIs, aligning them with modern security best practices and promoting consistent well-structured development patterns. These changes are designed to prioritize data security and privacy without compromising the flexibility developers expect.

Our updated Developer Terms and Developer Documentation provide the full details, but key highlights are included below. These changes do not apply to customers developing applications for internal use, but to entities developing applications and integrations for distribution to multiple Zendesk customers (for short, “app developers”).

• Global OAuth Tokens for Third-Party Apps: App developers are required to use official authentication tokens (“global OAuth”) and are no longer permitted to use a customer’s credentials to authenticate their applications.
• API Headers: Every API call made by a third-party app developer must include headers identifying its source. This improves transparency, brings greater observability, and helps protect against anomalous or malicious activity.
• App submission requirement: All applications built for distribution to Zendesk customers—whether listed in our official marketplace or otherwise—must be submitted for review and approval, giving customers added confidence that third-party applications are safe and following security guidelines.
• New guidelines on usage and storage: App developers will be required to conform to rules about handling customer data, ensuring it is not misused or exposed to unauthorized access.

We are also taking steps to offer new API security tools to all customers. All Zendesk accounts will get new token management dashboards. App developers and customers will be able to manage OAuth tokens and API tokens with ease, featuring enhanced controls like expiration dates and scoped permissions to limit access precisely. With these tools customers will have improved visibility into what tokens exist, who created them, and when they are being used.

What is the impact to Zendesk customers?

Enhanced security when integrating with third-party applications is the primary benefit of this update, and we anticipate minimal direct impact to Zendesk customers otherwise.

However, for customers using third-party applications that authenticate into your account using API tokens, you will need to approve a new authentication method (global OAuth) when the app’s developer makes that available to you. If you encounter any issues, the app’s developer should be able to assist you.

Key points

The API landscape is evolving—and so are we. As new technologies and threats emerge, you can expect continued investments in transparency, control, and secure-by-design principles.

Your data is one of your most valuable assets. At Zendesk, we take this responsibility seriously and always with your end users in mind. We are committed to protecting your data while being transparent about its use within our systems. Importantly, we will continue to enhance your controls and security with tools like our new API security dashboards. Keep an eye out for further security enhancements too.

These changes will not apply to internal development that you do on your own accounts using their own data, though as noted above, may require some small action from customers in the coming months to approve developers’ new, more secure methods of authentication. Your ability to extend Zendesk remains one of the most important features of the product.

All public integrations (those made available to multiple Zendesk customers) will be required to go through Marketplace review to ensure they conform to the new standards.

Separate from our work in upleveling API security, Zendesk continues to invest in strengthening AI trust. From offering advanced AI agents capable of combining generative responses with scripted flows to eliminate hallucination concerns, to paving the way in how to oversee and govern AI development, and to leading with responsible data practices, we remain steadfastly committed to delivering the benefits of AI innovation responsibly and securely.

In an era where AI changes our relationship to data every day, security becomes increasingly core to success, regardless of your business. With modern API security practices and transparency, Zendesk is empowering you to innovate without compromising trust.