API tokens and developer access

Deskwoot provides a REST API that gives you programmatic access to your support data and workflows. Whether you are building custom integrations, syncing ticket data with internal tools, or automating repetitive tasks, API tokens let you authenticate securely without sharing your login credentials. This guide walks you through generating tokens, making your first API call, and following the practices that keep your account safe.

The REST API is an Enterprise feature. It is also available during the 7-day Enterprise trial that every new account starts on, so you can build and test against it before committing. If you are on a lower plan and need API access, you will need to be on Enterprise. For a fuller picture of what the API covers, see the REST API overview.

How do I generate an API token?

1. Log in to your Deskwoot account and go to Settings > API tokens.
2. Click the option to create a new token.
3. Give the token a descriptive name (for example CRM sync, production) so you can identify its purpose later.
4. Select the specific permissions the token should have. Grant only the access levels your integration actually needs.
5. Confirm and copy the token immediately. For security reasons, the full token may not be displayed again after you leave the page.

How do I use the API?

All API requests are made against the following base URL:

https://deskwoot.com/api/v1/

Include your API token in the Authorization header of every request:

Authorization: Bearer YOUR_TOKEN

Example request

A simple cURL call to test your connection might look like this:

curl -H "Authorization: Bearer YOUR_TOKEN" https://deskwoot.com/api/v1/

If the token is valid, the API returns a successful response. If not, you get an authentication error.

What are the best practices?

• Grant the least access needed. Assign each token only the permissions it requires. Avoid creating tokens with full admin access unless you genuinely need it.
• Rotate tokens regularly. Periodically revoke old tokens and generate new ones, especially when team members change roles or leave.
• Store tokens securely. Keep tokens in environment variables or a secrets manager. Never hard-code them in client-side code or commit them to version control.
• Use descriptive names. Naming tokens after the integration or environment they serve makes auditing straightforward.
• Monitor usage. Review your active tokens in Settings > API tokens on a regular basis and delete any that are no longer in use.

How do I troubleshoot token errors?

• 401 Unauthorized: Double-check that the token is copied correctly, has not been revoked, and is included in the header with the Bearer prefix.
• 403 Forbidden: The token may lack the permissions for the endpoint you are calling. Edit or recreate the token with the right access.
• Rate limiting: If you receive rate-limit errors, reduce how often you call the API or add exponential back-off to your code.

Frequently asked questions

Is the REST API available on all plans?

No. The REST API is an Enterprise feature, and it is also available during the 7-day Enterprise trial. Lower paid plans do not include it.

Can I create multiple API tokens?

Yes. You can generate as many tokens as you need. Creating a separate token for each integration or environment is recommended, so you can revoke one without affecting the others.

What happens if my token is compromised?

Go to Settings > API tokens immediately, revoke the compromised token, and generate a new one. Update any services that relied on the old token.

What if I want an AI agent to use the helpdesk instead?

If you want an external AI agent to operate Deskwoot rather than building your own integration, look at the MCP server. It is also an Enterprise feature and uses scoped bot tokens.