Zendesk
Customer Supportsystem_type: "zendesk"Proxy Zendesk REST API v2 calls for ticket management, user profiles, and organisation data.
Overview#
The Zendesk connector proxies Zendesk REST API v2 calls with ML-KEM-768 + AES-256-GCM encryption. Supports both API token (email + token) and OAuth Bearer authentication. All customer PII in ticket bodies, comments, and user profiles passes through QuantaSeal's encryption proxy before reaching Zendesk.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_…Prerequisites#
- 1A Zendesk account (Support, Suite, or Sunshine)
- 2An API token from Admin → Apps & Integrations → APIs → Zendesk API → Settings
- 3Your Zendesk subdomain (e.g. 'acme' for acme.zendesk.com)
Configuration#
Follow these steps to connect Zendesk to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
In Zendesk Admin → Apps & Integrations → APIs → Zendesk API, enable Token Access and create an API token.
- 2
Seal: POST /api/v2/vault/seal with credential_type: basic_auth and values: {username: 'admin@acme.com', password: 'your-api-token'}.
- 3
Create integration: POST /api/v2/integrations with system_type: zendesk, config: {subdomain: 'acme'}.
- 4
Set allowed_operations to the Zendesk operations your application needs.
Authentication Types#
API token auth: HTTP Basic with {email}/token:{api_token} (seal as basic_auth with username=email, password=api_token). OAuth: seal access_token as oauth2_token.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
list_tickets | List tickets with status and date filters. |
get_ticket | Retrieve a ticket by ID including comments. |
create_ticket | Create a new support ticket. |
update_ticket | Update ticket status, priority, or assignee. |
list_users | List agents and end-users. |
search | Search tickets, users, and organisations with Zendesk query syntax. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_ZENDESK001",
"operation": "search",
"payload": {
"query": "type:ticket status:open priority:high created>2026-01-01",
"sort_by": "created_at",
"sort_order": "desc"
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted Zendesk search results>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XZENDESK001"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
401 - Couldn't authenticate you
For API token auth, the password must be the API token NOT your login password. Format: {email}/token:{api_token} as HTTP Basic.
429 - Too Many Requests
Zendesk rate limits vary by plan (10-700 req/min). Check the X-Rate-Limit and X-Rate-Limit-Remaining headers. Use the Retry-After value for backoff.
422 - Unprocessable Entity on ticket create
Zendesk requires at minimum a subject and either a description or a comment body. Check the errors array in the response for field-level validation messages.