Security update on the platform to restrict access to unauthorized access to certain APIs via Request Method

As a trusted developer platform, we are taking up some security measures to limit the opportunities for unauthorized access via apps that run on our platform.

As a first temporary step for the foreseeable future, the following APIs are restricted for use with the Request Method feature of our platform effective immediately. However, accessing these APIs will work if you use any other HTTP library within the app.

Please do also take a look at the official announcement for this change.

List of APIs restricted to use

Product API Endpoint HTTP Method Documentation Link
Freshdesk /api/v2/agents/[id] PUT/DELETE https://developer.freshdesk.com/api/#update_agent, https://developer.freshdesk.com/api/#delete_agent
Freshdesk /api/v2/agents/ POST https://developer.freshdesk.com/api/#create_agent
Freshdesk /api/v2/agents/bulk POST https://developer.freshdesk.com/api/#create_multiple_agents
Freshdesk /api/v2/contacts/[id]/make_agent POST https://developer.freshdesk.com/api/#make_agent
Freshdesk /api/v2/admin/groups POST/PUT https://developer.freshdesk.com/api/#create_admin_group, https://developer.freshdesk.com/api/#update_admin_group
Freshservice /itil/requesters/[id] PUT/DELETE https://api.freshservice.com/#update_user
Freshservice /api/v2/requesters/[id] PUT/DELETE https://api.freshservice.com/v2/#update_a_requester, https://api.freshservice.com/v2/#deactivate_a_requester
Freshservice /api/v2/requesters/[id]/forget DELETE https://api.freshservice.com/v2/#forget_a_requester
Freshservice /api/v2/requesters/[id]/convert_to_agent PUT https://api.freshservice.com/v2/#convert_to_agent
Freshservice /api/v2/agents POST https://api.freshservice.com/v2/#create_an_agent
Freshservice /api/v2/agents/[id] PUT/DELETE https://api.freshservice.com/v2/#update_an_agent,https://api.freshservice.com/v2/#delete_an_agent
Freshservice /api/v2/agents/[id]/forget DELETE https://api.freshservice.com/v2/#forget_an_agent
Freshservice /api/v2/agents/[id]/reactivate PUT https://api.freshservice.com/v2/#reactivate_an_agent
Freshservice /api/v2/agents/[id]/convert_to_requester PUT https://api.freshservice.com/v2/#convert_an_agent_to_requester
Freshservice /api/v2/requester_groups/[id] DELETE https://api.freshservice.com/v2/#delete_a_requester_group
Freshservice /api/v2/requester_groups/[id]/members/[requester_id] POST/DELETE https://api.freshservice.com/v2/#add_member_to_requester_group, https://api.freshservice.com/v2/#delete_member_from_requester_group
Freshservice /api/v2/groups/[id] PUT/DELETE https://api.freshservice.com/v2/#update_a_group, https://api.freshservice.com/v2/#delete_a_group
Freshcaller /api/v1/users/[id] PUT https://developer.freshcaller.com/api/#update_user_information
Freshchat /v2/agents/[agent_id] PUT https://developers.freshchat.com/api/#update_agent_information
Freshchat /v2/agents/[agent_id] DELETE -
Freshchat /v2/agents/[agent_id] PATCH -
Freshchat /v2/agents POST -

FAQs

1. How does it affect my app?

If any of the restricted APIs were used in your app and invoked via the Request Method, they will not succeed anymore. They will return an error with status code 403 and message as “URL not allowed”. If you are affected, please jump over to question #4.

2. Will the API endpoint continue to work?

Yes, the API endpoint from the respective products will continue to work. They are only restricted for use from the app through the Request Method feature of our developer platform.

3. How can I check if I use any of the restricted APIs in my apps?

Revisit the app source code to search and find if any of the listed APIs are used.

4. What should I do if I use one of the restricted APIs in production applications?

We would urge you to update the app to either not use the Request Method to make these API calls or reconsider solving your use-case without using these APIs.

5. Are there any alternative APIs available in lieu of these restricted APIs?

In a majority of use-cases where the app works in the agent’s context, you are not likely to require using these APIs. If you however have a valid use case to use them within an agent’s context, please contact us to find alternative ways to achieve the use case.

6. How much time do I have to update my apps to not make use of the restricted APIs via the Request Method?

This change has been introduced effective immediately. Any necessary actions will therefore need to be taken immediately. We are actively tracking the affected apps ourselves to understand if there is any unexpected impact.

7. Are custom apps affected by this change?

Yes, all kinds of apps for all the products are affected by this change if the mentioned conditions match with the ways of accessing the restricted APIs.

8. Will this change affect Serverless apps?

Yes, all kinds of apps are affected by this change as long as they use the restricted APIs through the Request Method. If your use case is expected to run in the context of an admin to access this API, please contact us to find alternate solutions.

9. Does it affect my app only if I use the Request API?

Yes, if the Request Method is not used to access any of the mentioned APIs, the app will continue to work as expected.

10. What happens if I used the restricted APIs from an external system and not a Freshworks app?

This change will not affect accessing the mentioned APIs from any external system. This change is introduced only for Freshworks apps with the mentioned conditions.

11. I can’t change this API as it is critical to my app’s use case. What shall I do?

Please contact us to find an alternative solution for the use case of your app.

12. I need help updating my app to move away from these APIs. What can I do?

Please contact us to find an alternative solution for the use case of your app.

How to contact us for help?

  • Please send out an email to marketplace@freshworks.com to get help from one of the platform engineers and developer relations engineers.
  • Block a time in our calendar to talk with one of the developer relations engineers to get help over a call.
7 Likes