One of the biggest feature requests for Zendesk Messaging is a way to link authenticated Messaging users to existing end-user profiles in Zendesk.

Currently, when a user interacts with the Zendesk Messaging Widget and we ask for an email address, that conversation is linked to their existing profile and the agent sees both the messaging conversation and the existing email threads in one overview.

However, when we authenticate a user in Zendesk Messaging via JWT, that same interaction will create a new profile in Zendesk for that user, regardless of an existing user with that email already available in Zendesk. The only way to currently make sure both are matched, is by making sure the external_id matches.

If you look at the Zendesk Community or at my own blog you'll notice that this let to a lot of confusion, frustration and duplicate users.

This week Zendesk finally addressed this issue and fixed it by writing one of the most complex support articles I've ever seen:

Using email identities to authenticate end users for messaging

What’s my plan? Zendesk identities are unique, which means the email identity owned by one user can’t simultaneously be owned by another user. This article explains what email identities are…

Zendesk helpAndrew Lavers

Be careful what you wish for...

Before we dive into this new release, let me tell you what it's not:

It is not a simple way to link authenticated Zendesk users to existing end-users based on email.

So for those who hoped to be able to authenticate users and.. have the conversations show up in their profiles, well, there's more to it than just that.

Instead Zendesk starts from the concept of a Verified Email Identity. This verified status means agents can trust that the user they're talking to is the actual user and not an impersonation.

Starting from this status we can then map the scenarios and up with users linked against their existing profiles, or not.

How Messaging used to work

For unauthenticated users:

• If an email in an unauthenticated Messaging conversation matches an existing profile, the conversation will be added to that profile.
• If an email in an unauthenticated Messaging conversation does not exist, a profile with that email is created.

For authenticated users:

• If an external_id in an authenticated Messaging conversation matches an existing profile's id, the conversation will be added to that profile.
• If an external_id in an authenticated Messaging conversation does not exist, a profile with that id is created, but no email linked

What we all wanted is to have an authenticated user that matches in email to an existing profile, to just match that profile and have the email available in the profile.

However this could lead to a security risk. Imagine I'm interacting with Zendesk as an authenticated end-user and the conversation is linked to my profile. Then, an unauthenticated user who impersonates me starts a conversation in Messaging with my email address. Currently, that conversation is linked to my existing profile, and it's not clear for the agent if I'm really me.

So, instead of just linking (un)authenticate accounts based on email, Zendesk took it one step further and updated the way email identities are handled in a more holistic way.

The new flow

When you go to the Admin Center > Messaging > Settings you will see a new advanced section that handles email identities.

By default, any new Zendesk instance will have its configuration set to "Use only verified emails". This is the new setup that will allow for linking Messaging and existing users.

Existing instances however will have the settings set to "Use both verified and unverified emails" and "Unauthenticated users can claim verified emails". This one is the experience we're used to, where unauthenticated messaging users who enter an email of an existing user, will see it's conversation added to that profile.

How it will work from now on

In short the new flow starts from the concept of verified email users. A verified email user is a user that is authenticated via JWT in Messaging and has a matching user in Zendesk.

The idea is that if you're known and verified, your conversation gets linked to your user in Zendesk and the agent knows your trusted. In all other scenario's you can talk to an agent, but it's up to an agent (or your policies) to trust the user and if so, merge the conversation and user into the "real" account, if there's one.

In short:

• Authenticated and verified users have their conversation linked to their profile in Zendesk and a verified email will be added to the profile and the conversation will get a green checkbox. ✅
• In all other scenarios Zendesk will create a new user profile with the users' name and no email address linked to their user.

However, there's a lot more to it, and there's actually around 48 different flows I was able to map (for now..)

Read on to get the full overview of the new options!

Flow Chart

Below you can find a flow chart with the available options.

You'll notice that the authenticated branch does not take the options for unverified and claiming existing accounts into account. This is because the options in the admin panel only affect unverified and unauthenticated flows.

Email identity options.

'Use only verified emails'-option selected

This option is the new default for all new Zendesk instances, and is the one that should be enabled if you want to make sure that the person you're talking too is actually the owner of the email or account they entered.

In essence it works as follows:

Or, if we want to run through the scenario's:

Both unverified an verified option selected

This option creates a bit of nuance and is less strict.

Unauthenticated uses can claim verified profiles

And finally we end up with the least secure option.

How it will look for agents

How to handle this

So, if you want to link authenticated users to existing profiles in Zendesk you basically still need to make sure that the external_id of your user matches the Zendesk user. If your users do not have external_id's, you still can't match logged in accounts to existing accounts.

Mapping users

So there's a few approaches here.

1. You can go for a Messaging first approach. You assume most users will interact with your customer care team over Messaging for the first time, and if you implement an authenticated flow you will create verified email profiles with the correct external_id from the get go for each user.
   When, or if, those users ever email you, the communication will be linked to their profiles correctly.
2. If you already have a large user database in Zendesk it's best to import your user database with their UUID and update your users. This way you're sure the external_id and email are there before a user ever logs into messaging again, and they'll be matched correctly.
3. Or, you could cut your losses and live with the fact that new profiles will be created, while being sure those users are authenticated and verified.

Verified only

Aside from preventing multiple user profiles being created for your users, the other side of this coin, is the reason you want users to authenticate. Authentication is not just about pre-filling an email address, but it's about knowing for sure that the person talking to you is the actual person.

If we take this as a basis, I strongly recommend going with the new Verified only configuration.

But, since this goes against years of habits and most customer profiles are unverified, the following approach might work:

• Configure your account to allow both verified and unverified accounts (for now)
• Run an import of your existing users with their external IDs.
• Push customers towards verifying their accounts by linking to the Customer Portal section of your Help Center in your emails. Each time a customer logs in, they will verify their email
• Regularly check this API endpoint to see how many unverified users you still have. If the number is low enough, toggle the verified only setup.

api/v2/search.json?query=is_verified:false

Bonus

I've updated my Messaging Authentication demo and article to include the new email_verified = true payload.

Authenticate Zendesk Messaging

Zendesk recently added the ability to authenticate users in the Zendesk Messaging Web and Mobile SDK. This article shows how to set it up with sample code.

Internal NoteThomas Verschoren

var payload;

payload = JSON.stringify({
    scope: "user",
    exp: Math.floor(new Date().getTime() / 1000.0) + 86400,
    name: json.user_name,
    email: json.user_email,
    external_id: "user_" + json.user_external_id,
    email_verified: true
});