Authorization and access to your data
All apps installed from the Zendesk Marketplace technically gain access to all of your Zendesk data ("your data") through the Zendesk App Framework. However, Playlist Ticket Assignment ("Playlist") also requires access to your data from our servers.
Authorizing with OAuth
Playlist uses Zendesk’s OAuth authorization flow, which requires you to explicitly grant API access to your Zendesk account. Here is a summary of the authorization flow:
- After installing the app, the admin will land on a page asking for authorization (we use signed URLs provided by Zendesk to ensure that the user authorizing API access is indeed a user of your account)
- The admin clicks on the button to "Authorize" API access
- A window pops up, describing the scope of access that will be granted to Playlist and prompting the admin for confirmation
- Once authorized, our server generates and signs a JSON Web Token (JWT) to identify your account
- This JWT serves as your session and is stored as a hidden, secure setting within the app.
Using JWTs to identify users
The app (Zendesk iframe) will then use the secure flag to include the JWT along with each subsequent request to our services. With the secure flag, communication between Zendesk and our services is server to server, so the JWT is never exposed to clients.
When our service receives a request, it will decode the JWT to validate the user’s identity. If we are unable to decode the JWT (i.e. due to it being tampered), the request is automatically rejected. If we are able to successfully decode the JWT, the user is authorized and the request is carried out.
Why does Playlist need server-side API access?
Playlist only reads and writes data where it needs to when using Zendesk’s APIs. Here are some of the reasons why the app needs server-side API access:
Some of our services, such as round-robin ticket assignment, need to be carried out even when agents are not logged into Zendesk. For such services, we will need server-side API access to run jobs on our servers.
Some admins may want to delegate administration of Playlist business rules and settings to specific agents. Since Zendesk does not allow agents to update the user profiles of other agents, our service provides delegated admins with the ability to update specific user fields that are managed by Playlist (i.e. Playlist Rule Id, Playlist Manager, Playlist Autoplay).
We use Amazon Web Services (AWS) to host our services and our servers are located in the us-west-2 region (Oregon).
All data transferred between Zendesk and our servers is encrypted using TLS 1.2. This includes information transferred between the app (Zendesk iframe) and our services.
We use proper encryption techniques where appropriate. Here’s a summary of data that we collect from your Zendesk account and store on our servers:
Playlist rules utilize your views in Zendesk to query for unassigned tickets. We store the appropriate view IDs when you configure Playlist rules for your team.
We track usage of Playlist so that we can monitor the app’s performance and make improvements to it over time. This data is non-identifiable and we only aggregate information such as the number of successfully assigned tickets.
Admin contact details
We store an encrypted version of your OAuth token on our servers so that we can perform jobs even when users are not logged in. For example, our round-robin option periodically checks for unassigned tickets and routes them to available agents in a circular fashion.
Please contact us if you have any questions or would like to learn more about how Playlist is integrated with Zendesk.