Authenticate

Learn how to authenticate requests to Klaviyo's two sets of endpoints.

All /api endpoints use API private keys to authenticate requests. If you do not use an API key for your requests, or if you use a key from the wrong account, your call will return an error. A 400 error indicates an invalid or missing API key.

Please refer to this guide for more details on how to generate private keys and use API key scopes.

All /client endpoints use a public API key: your 6-character company ID, also known as a site ID.

Private key authentication

Private key authentication for /api endpoints is performed by setting the following request header:

Authorization: Klaviyo-API-Key {your-private-api-key}
curl --request GET \
     --url https://a.klaviyo.com/api/{endpoint}/ \
     --header 'Authorization: Klaviyo-API-Key {your-private-api-key}' \
     --header 'accept: application/json' \
     --header 'revision: {revision-header}'

🚧

For your account's security, we strongly recommend never using a private API key with the Client endpoints.