Token rotation

Operations proceses page for token rotation

This page documents what to do when a token needs to be rotated (meaning one already existed).

Rotating tokens

For Zendesk API tokens

Navigate to the admin panel for the Zendesk instance in question:
Go to the Zendesk API option on the sidebar (under Apps and integrations > APIs)
Locate the existing entry for the token and delete it (click on it then click Delete)
Click the Add API token button at the top-right of the page
Enter an appropriate name (normally the link to the project using it)
Copy the API token generated
Put the token into place where needed

For gitlab.com personal access tokens

Login to the gitlab.com user the token will be created from
Navigate to the personal access tokens page
Sort through the list of existing tokens to locate the one you need to rotate
Click the swirling arrows (if you hover over it, it says Rotate) next to the correct token
Copy the API token generated
Put the token into place where needed

For gitlab.com project access tokens

Navigate to the project iteself
Go to the Access tokens page (under Settings)
Sort through the list of existing tokens to locate the one you need to rotate
Click the swirling arrows (if you hover over it, it says Rotate) next to the correct token
Copy the API token generated
Put the token into place where needed

For gitlab.com pipeline trigger tokens (as a regular user)

Login to the gitlab.com user the token will be created by
Navigate to the project iteself
Go to the CI/CD page (under Settings)
Expand the Pipeline trigger tokens section
Sort through the list of existing tokens to locate the one you need to rotate
Delete the existing token
Click the Add new token button at the top-rigth of the section
Enter an appropriate name:
- If a Zendesk webhook, put the link to the webhook itself
- If a Zendesk app, use the format INSTANCE - NAME_OF_APP
  - INSTANCE is the Zendesk instance itself (ex: Zendesk Global, Zendesk US Government)
  - NAME_OF_APP is the name of the app as Zendesk display it
- If for a CI/CD job within the same project, put the name of the job
- If for another project, put the link to the project
Copy the API token generated
Put the token into place where needed

For gitlab.com pipeline trigger tokens (as a service bot)

Create a project access token for the project in question
Make note of the project’s ID number
Use that API token to create a pipeline trigger token via the gitlab.com API
```
curl --request POST \
  --header "PRIVATE-TOKEN: TOKEN_YOUR_COPIED" \
  --form description="APPROPRIATE_DESCRIPTION_HERE" \
  "https://gitlab.com/api/v4/projects/PROJECT_ID/triggers"
```
- TOKEN_YOUR_COPIED is the project access token you copied
- APPROPRIATE_DESCRIPTION_HERE is an appropriate description:
  - If a Zendesk webhook, put the link to the webhook itself
  - If a Zendesk app, use the format INSTANCE - NAME_OF_APP
    - INSTANCE is the Zendesk instance itself (ex: Zendesk Global, Zendesk US Government)
    - NAME_OF_APP is the name of the app as Zendesk display it
  - If for a CI/CD job within the same project, put the name of the job
  - If for another project, put the link to the project
Copy the API token generated
Put the token into place where needed

Applying the new token

For Zendesk apps

Navigate to the admin panel for the Zendesk instance in question:
Go to the Zendesk Support apps option on the sidebar (under Apps and integrations > Apps)
Locate the app in question and click on it
Locate the field that needs the API token in question
Put the token into that field
- NOTE Do not populate or edit any other fields
Click the blue Update button at the bottom of the page

For Zendesk webhooks

Navigate to the admin panel for the Zendesk instance in question:
Go to the Webhooks option on the sidebar (under Apps and integrations > Actions and webhooks)
Locate the webhook in question
Click the 3 vertical dots to the far-right of the webhook in question
Click the Edit option
Click the Next link at the bottom-right of the page
Replace the old token with the new token where needed
Click the blue Update button at the bottom-right of the page

For gitlab.com CI/CD variables

Navigate to the project iteself
Go to the CI/CD page (under Settings)
Expand the Variables section
Sort through the list of existing variables to locate the one you need to replace
Click the pencil icon at the far-right of the variable (if you hover over it, it says Edit)
Put the new token in the Value field
Click the blue Save changes button

For gitlab.com webhooks

Due to being unable to edit the value of masked sections in webhooks, we have to “delete and create” it to rotate a token

Navigate to the project iteself
Go to the Webhooks page (under Settings)
Locate the webhook in question and copy all relevant information from it (the URL, what it triggers on, etc.)
Delete the webhook in question
Re-create the webhook using the revelant information and the new token

OAuth Integrations

Integrating a new OAuth Application into Zendesk

Adding an OAuth integration requires Owner access to Zendesk.

After an access request is approved:

Remove the Okta login requirement for the integration user
Log in as the integration user
Perform the OAuth flow as directed by the application.
- Verify the scopes requested are documented and approved in the access request. If they are not, STOP.
Log out as the integration user
Restore Okta login requirements for the integration user.

Last modified October 14, 2025: Remove trailing spaces (3643eb9e)

View page source - Edit this page - please contribute.

Creative Commons License