In the api controller there is a method authorise which checks if the token provided is valid. The code does a regular expression
preg_match('/Token token="([a-z0-9]+)"/', $tokenString
The tokens I repeatedly generated in Zendesk contain both uppercase and lowercase letters. I don't understand in the current code how it would work for anyone unless they were lucky enough to get a token containing only lowercase letters.
The expression should be modified as such /Token token="([a-zA-Z0-9]+)"/