Getting Started with OAuth2

Keap uses OAuth2 to secure calls to our APIs, requiring usage of two flows: the Authorization Code grant (requesting permission from a User for access to their data) and the Refresh Token grant (securing tokens by requiring rotation).  

To make calls against the Keap APIs you will need to first obtain an Access Token by requesting authorization then trading in the resulting code.  You will receive a Refresh Token at that same time, allowing you to create a new Access Token/Refresh Token pair as they expire.

Authorization Request

The first step in the OAuth flow is to redirect the user to Keap in order to authorize your application for access. The URL you generate here is where you first send your user in order for them to log in and continue the OAuth flow.

Once the user has logged into their Keap account and authorized your application, they will be redirected back to your application at your specified redirect_uri with a code URL parameter that is used to request an access token.

Redirect users to https://accounts.infusionsoft.com/app/oauth/authorize along with the required parameters in order to start the OAuth exchange.

Query Parameter
Type
Usage/Values
client_id
string
Application client ID. Found in the developer portal.
redirect_uri
string
This is the callback URL that Keap will redirect the users back to after authorization (must be HTTPS). Users will not be redirect to any other URLs during the authentication process so it is important to use the site that users can visit and has a script to capture the authorization code.
response_type
string
The desired grant type, as per the OAuth 2.0 spec. The only current valid value is response_type=code Defaults to code.
scope
string
The scopes required by your application. The only current valid value is scope=full Defaults to full.

Access Token Request

The access_token is the token you will use to authenticate requests to the Keap API, and it expires after the time in the expires_in field (in seconds). In order to get a new valid access token after one has expired, you must use the refresh_token to request a new access token.

Using the code URL parameter returned from the authorization callback, your application can request an access token and refresh token from Keap.

Requesting an access token requires you to POST to https://api.infusionsoft.com/token

Note: The content type should be set to application/x-www-form-urlencoded.

POST Body Parameter
Type
Usage/Values
client_id
string
Your application’s client ID. Found in the developer portal.
client_secret
string
Your application’s client secret. Found in the developer portal.
code
string
The code returned when the user was redirected back to your application.
grant_type
string
The desired grant type, as per the OAuth 2.0 spec. The only current valid value iss grant_type=authorization_code Defaults to authorization_code.
redirect_uri
string
The redirect URL from the original authorization request.

Refresh Request

Provides a new access_token that you will use to authenticate subsequent requests to the Keap API. Like the originally granted token, this expires after the amount of time in the expires_in field (in seconds). You must use the newly provided refresh_token to request a subsequent new access token. Make sure to also store the new refresh token every time you request and store a new access token.

After your access token expires, you’ll use the refresh token that was provided when your access token was initially granted to request a new access token.

Note: Once a Refresh Token is used to receive a new Access Token, you will be returned a new Refresh Token as well, which will need to be persisted in order to request the next access token.

Refreshing an access token requires you to POST to https://api.infusionsoft.com/token

Note: The content type should be set to application/x-www-form-urlencoded.

POST Body Parameter
Type
Usage/Values
grant_type
string
The desired grant type, as per the OAuth 2.0 spec. The only current valid value is refresh_token Defaults to refresh_token.
refresh_token
string
The refresh token provided when the most recent access_tokenwas granted.

Header Parameters
Type
Usage/Values
Authorization
string
The word “Basic ” (with a space) concatenated with a base64 encoded string of your client_id, a colon, and your client_secret passed via the Authorization header. Example pseudo code: Basic + base64_encode(CLIENT_ID + ':' + CLIENT_SECRET)

Making API Requests

The base URL for our APIs are https://api.infusionsoft.com/crm/rest and https://api.infusionsoft.com/crm/xmlrpc

Header Parameters
Type
Usage/Values
Authorization
string
The word “Bearer ” (with a space) concatanated with your current Access Token passed via the Authorization header. Example: Bearer 123abc