# Zendesk

Teleskope supports two Zendesk authentication modes:

1. API token
2. OAuth client credentials

## API Token

Provide the following values during enrollment:

| Field     | Value                                                                                                                                                                     |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Subdomain | Your Zendesk subdomain. For `https://acme.zendesk.com`, use `acme`.                                                                                                       |
| Email     | The Zendesk user email associated with the API token.                                                                                                                     |
| API Key   | Zendesk API token created for that user. Follow Zendesk's [instructions](https://support.zendesk.com/hc/en-us/articles/4408889192858-Managing-access-to-the-Zendesk-API). |

## OAuth Client Credentials

Teleskope's Zendesk OAuth support uses the `client_credentials` grant type. It does not use an authorization-code redirect flow and does not require a refresh token.

### Create the OAuth client in Zendesk

In Zendesk Admin Center:

1. Go to `Apps and integrations` -> `APIs` -> `OAuth clients`.
2. Create or edit an OAuth client.
3. Set `Client kind` to `Confidential`.

Capture the following values from the Zendesk OAuth client:

| Zendesk UI Label | Teleskope Field | Notes                                               |
| ---------------- | --------------- | --------------------------------------------------- |
| Identifier       | Client ID       | Zendesk uses `Identifier` as the OAuth `client_id`. |
| Secret           | Client Secret   | Zendesk OAuth client secret.                        |

Also provide:

| Field     | Value                                                                |
| --------- | -------------------------------------------------------------------- |
| Subdomain | Your Zendesk subdomain. For `https://acme.zendesk.com`, use `acme`.  |
| Scope     | `read` for scan-only, or `read write` for scanning plus remediation. |

### Recommended scopes

| Teleskope Usage          | Scope        |
| ------------------------ | ------------ |
| Scanning only            | `read`       |
| Scanning and remediation | `read write` |

`impersonate` is not required.

### Enrollment values in Teleskope

When selecting `OAuth` in the Zendesk enrollment flow, enter:

| Teleskope Field | Value                             |
| --------------- | --------------------------------- |
| Client ID       | Zendesk OAuth client `Identifier` |
| Client Secret   | Zendesk OAuth client `Secret`     |
| Subdomain       | Zendesk subdomain                 |
| Scope           | `read` or `read write`            |

### Token behavior

Teleskope exchanges the client credentials for a bearer token at Zendesk's token endpoint:

`https://{subdomain}.zendesk.com/oauth/tokens`

No manual access token entry is required during enrollment.