diff --git a/main/apiauth.py b/main/apiauth.py
new file mode 100644
index 0000000..96da5a0
--- /dev/null
+++ b/main/apiauth.py
@@ -0,0 +1,37 @@
+import os
+
+from zenpy import Zenpy
+
+
+def api_auth():
+    credentials = {
+        'subdomain': 'ngenix1612197338'
+    }
+    email = os.getenv('ACCESS_CONTROLLER_API_EMAIL')
+    token = os.getenv('ACCESS_CONTROLLER_API_TOKEN')
+    password = os.getenv('ACCESS_CONTROLLER_API_PASSWORD')
+
+    if email is None:
+        raise ValueError('access_controller email not in env')
+    credentials['email'] = os.getenv('ACCESS_CONTROLLER_API_EMAIL')
+
+    # prefer token, use password if token not provided
+    if token is not None:
+        credentials['token'] = token
+    else:
+        if password is None:
+            raise ValueError('access_controller token or password not in env')
+        credentials['password'] = password
+
+    zenpy_client = Zenpy(**credentials)
+    zenpy_user = zenpy_client.users.search(email).values[0]
+
+    user = {
+        'id': zenpy_user.id,
+        'name': zenpy_user.name,  # Zendesk doesn't have separate first and last name fields
+        'email': zenpy_user.email,
+        'role': zenpy_user.role,  # str like 'admin' or 'agent', not id
+        'photo': zenpy_user.photo['content_url'] if zenpy_user.photo is not None else None,
+    }
+
+    return user