API keys allow external tools, integrations, and custom-built applications to securely connect to your account and access your data. This article covers how to create and manage two types of API keys: Personal Access Tokens and Service Account Keys, including when to use each and how to stay within API rate limits. For OAuth2 integration setup, see Getting Started with OAuth2.
Personal Access Tokens - Any user of the app can create a Personal Access Token, and it operates under the user context and permissions of the user creating it. Intended for casual/entry level developer users.
Service Access Tokens - Only admins can create a Service Account Key as it will grant admin access to all of the API. Intended for first-party integrations. Third-party integrations should us the OAuth2 Access Code flow. PAT/SAK quotas are not adjustable. Click here for our developer article on PAT/SAK quotas.
How to Create an API Key
- Click your profile icon and select Settings in the menu.
- Scroll down and select API settings from the list
If you are a user of Max Classic, click on the profile icon in the top toolbar, and then click on API Settings -
At the top of your screen, select from the following options:
Third-Party Authorizations - view and manage your previously created API keys
Personal Access Tokens - Any user of the app can create a personal access token, but it operates under the user context of the user creating it, with that user's visibility and editing permissions. Intended for casual/entry level developers, developers who want to play around with the API, or developers who want a simple authentication experience scoped to a single user and are less concerned about security.
Service Account Keys - Only admins can create a service account key as it will grant admin access to all of your stored data. Intended to help you integrate your other business systems with our API.
- Click on New Token if you've selected Personal Access Tokens or New Key if you've selected Service Account Keys
-
In the window that appears, give the token a descriptive name to distinguish it from other tokens you have created previously or will create in the future. Once you've named your token, click on Create and your unique token will be generated.
Your token will appear in the next screen. Click on the Copy button to copy the unique code to your clipboard. Then, paste it somewhere safe. Once you close this window, you will never be able to regenerate this code again. Do not share this token, treat it as a vulnerable secret. In the wrong hands this code can give access to your entire account. Never commit it to source code repositories or deploying it alongside your application code. It is effectively a “password” for your own personal authorization to access data on your behalf.
How to Make API Calls With Your Key
Once you have copied and saved your key, use the following endpoint to make API calls against the full API. Include your key in the request header exactly as shown below.
URI: https://api.infusionsoft.com Headers: "X-Keap-API-Key": "ProvideYourKeyHere"
Replace ProvideYourKeyHere with your actual Personal Access Token or Service Account Key. Treat your key as a password — never commit it to a source code repository or deploy it alongside your application code, as it grants access to your account data on your behalf.
Quotas and Throttles
Both Personal Access Tokens and Service Account Keys are subject to the following rate limits, which cannot be adjusted:
- 10 queries per second
- 240 queries per minute
- 30,000 queries per day
If your integration exceeds any of these limits, API requests will be throttled until the limit resets. Design your integration to stay within these thresholds to avoid unexpected interruptions in service.
FAQ
Are legacy API keys still supported? Legacy API keys were disabled on October 31, 2024 and can no longer be used to authenticate API requests. If your integration still relies on a legacy API key, you will need to migrate to OAuth2 to restore access. See Getting Started with OAuth2 for migration instructions.
What is the difference between a Personal Access Token and a Service Account Key? A Personal Access Token operates under the permissions of the user who created it, meaning it can only access data that user can see and edit. A Service Account Key grants admin-level access to all stored data and can only be created by an account admin. Use a Personal Access Token for single-user or exploratory development, and a Service Account Key for integrating your business systems with the API.
Can I increase my API rate limits? No. Rate limits for both Personal Access Tokens and Service Account Keys are fixed and cannot be adjusted. If your integration requires higher throughput, consider OAuth2, which may better suit your use case. See Getting Started with OAuth2 for more information.
Should I use a Service Account Key or OAuth2 for a third-party integration? Third-party integrations should use the OAuth2 Access Code flow rather than a Service Account Key. Service Account Keys are intended for first-party integrations only. See Getting Started with OAuth2 to get started.
What should I do if I need to revoke or delete a key? To remove a key you are no longer using, navigate to API Settings and click the delete icon on the same row as the key you want to remove. You will be prompted to confirm before the key is deleted. Removing unused keys is recommended to prevent unauthorized access to your account. Note that deletion may take several minutes to fully propagate.
What happens if I lose or forget to copy my key? Once you close the window after creating a key, the key cannot be retrieved or regenerated. If you lose access to your key, delete the existing key from API Settings and create a new one.
Comments
0 comments
Please sign in to leave a comment.