Authenticate

Learn how to authenticate requests to Klaviyo's two sets of endpoints.

API keys are always required to authenticate API requests. If you do not use an API key for your requests, or if you use a key from the wrong account, your call will return an error. A 400 error indicates an invalid or missing API key.

Track and Identify APIs

These APIs do not adhere to REST principles. Authenticate to these APIs using your public API key. The public key must be set as the token key in the base64-encoded payload of your request. For more details, see Track & Identify.

🚧

For your account's security, we strongly recommend never using a private API key with the Track and Identify APIs.

curl --request POST \
     --url 'https://a.klaviyo.com/api/track' \
     --header 'Accept: text/html' \
     --header 'Content-Type: application/x-www-form-urlencoded' \
     --data 'data={"token": "PUBLIC_KEY"}'

RESTful API

The RESTful APIs use private API keys. Your private API key is passed using the query parameter api_key with each request.

curl --request POST \
     --url 'https://a.klaviyo.com/api/v2/lists?api_key=PRIVATE_KEY' \
     --header 'Accept: application/json' \
     --header 'Content-Type: application/x-www-form-urlencoded' \
     --data list_name=ListName

Check out the API overview to learn more about how these two core sets of APIs differ.


Did this page help you?