Security update on the platform to restrict access to unauthorized access to certain APIs via Request Method

As a trusted developer platform, we are taking up some security measures to limit the opportunities for unauthorized access via apps that run on our platform.

As a first temporary step for the foreseeable future, the following APIs are restricted for use with the Request Method feature of our platform effective immediately. However, accessing these APIs will work if you use any other HTTP library within the app.

Please do also take a look at the official announcement for this change.

List of APIs restricted to use

Product API Endpoint HTTP Method Documentation Link
Freshdesk/api/v2/agents/[id]PUT/DELETEhttps://developer.freshdesk.com/api/#update_agent, https://developer.freshdesk.com/api/#delete_agent
Freshdesk/api/v2/agents/POSThttps://developer.freshdesk.com/api/#create_agent
Freshdesk/api/v2/agents/bulkPOSThttps://developer.freshdesk.com/api/#create_multiple_agents
Freshdesk/api/v2/contacts/[id]/make_agentPOSThttps://developer.freshdesk.com/api/#make_agent
Freshdesk/api/v2/admin/groupsPOST/PUThttps://developer.freshdesk.com/api/#create_admin_group, https://developer.freshdesk.com/api/#update_admin_group
Freshservice/itil/requesters/[id]PUT/DELETEhttps://api.freshservice.com/#update_user
Freshservice/api/v2/requesters/[id]PUT/DELETEhttps://api.freshservice.com/v2/#update_a_requester, https://api.freshservice.com/v2/#deactivate_a_requester
Freshservice/api/v2/requesters/[id]/forgetDELETEhttps://api.freshservice.com/v2/#forget_a_requester
Freshservice/api/v2/requesters/[id]/convert_to_agentPUThttps://api.freshservice.com/v2/#convert_to_agent
Freshservice/api/v2/agentsPOSThttps://api.freshservice.com/v2/#create_an_agent
Freshservice/api/v2/agents/[id]PUT/DELETEhttps://api.freshservice.com/v2/#update_an_agent,https://api.freshservice.com/v2/#delete_an_agent
Freshservice/api/v2/agents/[id]/forgetDELETEhttps://api.freshservice.com/v2/#forget_an_agent
Freshservice/api/v2/agents/[id]/reactivatePUThttps://api.freshservice.com/v2/#reactivate_an_agent
Freshservice/api/v2/agents/[id]/convert_to_requesterPUThttps://api.freshservice.com/v2/#convert_an_agent_to_requester
Freshservice/api/v2/requester_groups/[id]DELETEhttps://api.freshservice.com/v2/#delete_a_requester_group
Freshservice/api/v2/requester_groups/[id]/members/[requester_id]POST/DELETEhttps://api.freshservice.com/v2/#add_member_to_requester_group, https://api.freshservice.com/v2/#delete_member_from_requester_group
Freshservice/api/v2/groups/[id]PUT/DELETEhttps://api.freshservice.com/v2/#update_a_group, https://api.freshservice.com/v2/#delete_a_group
Freshcaller/api/v1/users/[id]PUThttps://developer.freshcaller.com/api/#update_user_information
Freshchat/v2/agents/[agent_id]PUThttps://developers.freshchat.com/api/#update_agent_information
Freshchat/v2/agents/[agent_id]DELETE-
Freshchat/v2/agents/[agent_id]PATCH-
Freshchat/v2/agentsPOST-

FAQs

1. How does it affect my app?

If any of the restricted APIs were used in your app and invoked via the Request Method, they will not succeed anymore. They will return an error with status code 403 and message as “URL not allowed”. If you are affected, please jump over to question #4.

2. Will the API endpoint continue to work?

Yes, the API endpoint from the respective products will continue to work. They are only restricted for use from the app through the Request Method feature of our developer platform.

3. How can I check if I use any of the restricted APIs in my apps?

Revisit the app source code to search and find if any of the listed APIs are used.

4. What should I do if I use one of the restricted APIs in production applications?

We would urge you to update the app to either not use the Request Method to make these API calls or reconsider solving your use-case without using these APIs.

5. Are there any alternative APIs available in lieu of these restricted APIs?

In a majority of use-cases where the app works in the agent’s context, you are not likely to require using these APIs. If you however have a valid use case to use them within an agent’s context, please contact us to find alternative ways to achieve the use case.

6. How much time do I have to update my apps to not make use of the restricted APIs via the Request Method?

This change has been introduced effective immediately. Any necessary actions will therefore need to be taken immediately. We are actively tracking the affected apps ourselves to understand if there is any unexpected impact.

7. Are custom apps affected by this change?

Yes, all kinds of apps for all the products are affected by this change if the mentioned conditions match with the ways of accessing the restricted APIs.

8. Will this change affect Serverless apps?

Yes, all kinds of apps are affected by this change as long as they use the restricted APIs through the Request Method. If your use case is expected to run in the context of an admin to access this API, please contact us to find alternate solutions.

9. Does it affect my app only if I use the Request API?

Yes, if the Request Method is not used to access any of the mentioned APIs, the app will continue to work as expected.

10. What happens if I used the restricted APIs from an external system and not a Freshworks app?

This change will not affect accessing the mentioned APIs from any external system. This change is introduced only for Freshworks apps with the mentioned conditions.

11. I can’t change this API as it is critical to my app’s use case. What shall I do?

Please contact us to find an alternative solution for the use case of your app.

12. I need help updating my app to move away from these APIs. What can I do?

Please contact us to find an alternative solution for the use case of your app.

How to contact us for help?

  • Please send out an email to marketplace@freshworks.com to get help from one of the platform engineers and developer relations engineers.
  • Block a time in our calendar to talk with one of the developer relations engineers to get help over a call.
7 Likes