Alright look. It’s 2026 and every day brings a new security disaster from a different business application vendor.
Zendesk has a vast attack surface and is mission-critical for your organisation, so the security of your instance is non-negotiable from your customers’ perspective.
It’s great that there are improvements to OAuth implementation and other routes for user access. But can anyone explain to me why API tokens are still all-or-nothing?
We need to see proper token scopes like you’d configure on GitHub or Stripe. This is considered basic security hygiene everywhere else.
Now we’re all plugging in external AI agents, we’re seeing rapid marketplace expansion, and more third parties connecting different systems. We’ve already seen the consequences with the spam relay problem. The attack surface keeps growing as attackers get more sophisticated. The cost of probing drops and potential rewards explode. As an ecosystem around the Zendesk platform, we must demand better!