Deskwoot logoDeskwoot

API tokens and developer access

Deskwoot provides a REST API for programmatic access.

Also available in:DeutschPortuguês

Deskwoot provides a REST API that gives you programmatic access to your support data and workflows. Whether you're building custom integrations, syncing ticket data with internal tools, or automating repetitive tasks, API tokens let you authenticate securely without sharing your login credentials. This guide walks you through generating tokens, making your first API call, and following best practices to keep your account safe.

Generating an API token

  1. Log in to your Deskwoot account and navigate to Settings > API Tokens.
  2. Click the option to create a new token.
  3. Give the token a descriptive name (e.g., CRM Sync. Production) so you can identify its purpose later.
  4. Select the specific permissions the token should have. Grant only the access levels your integration actually needs.
  5. Confirm and copy the token immediately. For security reasons, the full token may not be displayed again after you leave the page.

Using the API

All API requests are made against the following base URL:

https://deskwoot.com/api/v1/

Include your API token in the Authorization header of every request:

Authorization: Bearer YOUR_TOKEN

Example request

A simple cURL call to test your connection might look like this:

curl -H "Authorization: Bearer YOUR_TOKEN" https://deskwoot.com/api/v1/

If the token is valid, the API will return a successful response. If not, you'll receive an authentication error.

Best practices

  • Least-privilege principle: Assign each token only the permissions it requires. Avoid creating tokens with full admin access unless absolutely necessary.
  • Rotate tokens regularly: Periodically revoke old tokens and generate new ones, especially if team members change roles or leave.
  • Store tokens securely: Keep tokens in environment variables or a secrets manager,never hard-code them in client-side code or commit them to version control.
  • Use descriptive names: Naming tokens after the integration or environment they serve makes auditing straightforward.
  • Monitor usage: Review your active tokens in Settings > API Tokens on a regular basis and delete any that are no longer in use.

Troubleshooting

  • 401 Unauthorized: Double-check that the token is copied correctly, has not been revoked, and is included in the header with the Bearer prefix.
  • 403 Forbidden: The token may lack the required permissions for the endpoint you're calling. Edit or recreate the token with the appropriate access.
  • Rate limiting: If you receive rate-limit errors, reduce the frequency of your requests or implement exponential back-off in your code.

Frequently asked questions

Can I create multiple API tokens?

Yes. You can generate as many tokens as you need. Creating separate tokens for each integration or environment is recommended so you can revoke one without affecting others.

What happens if my token is compromised?

Go to Settings > API Tokens immediately, revoke the compromised token, and generate a new one. Update any services that relied on the old token.

Is there a rate limit on API requests?

Most APIs enforce rate limits to protect service stability. If you encounter rate-limit responses, space out your calls and consult the API documentation for specific thresholds.

Related articles

Back to Help Center