HomeGuidesAPI Reference
ChangelogHelp CenterCommunityContact Us
Guides

Authenticate

Learn how to authenticate requests to Klaviyo's two sets of endpoints.

All /api endpoints use API private keys to authenticate requests. If you do not use an API key for your requests, or if you use a key from the wrong account, your call will return an error. A 400 error indicates an invalid or missing API key.

Please refer to this guide for more details on how to generate private keys and use API key scopes.

All /client endpoints use a public API key: your 6-character company ID, also known as a site ID.

📘

If you are a tech partner integrating with Klaviyo, we recommend using OAuth to authenticate your app. OAuth offers multiple benefits over a private key integration, including security, usability, and improved rate limits. Check out our guide on setting up OAuth for more information.

Private key authentication

Private key authentication for /api endpoints is performed by setting the following request header:

Authorization: Klaviyo-API-Key your-private-api-key
curl --request GET \
     --url https://a.klaviyo.com/api/{endpoint}/ \
     --header 'Authorization: Klaviyo-API-Key your-private-api-key' \
     --header 'accept: application/json' \
     --header 'revision: 2023-12-15'

🚧

For your account's security, we strongly recommend never using a private API key with the Client endpoints.

Public key authentication

Client-side API calls only require a public API key, also known as a company_id, for authentication:

curl --request POST \
     --url 'https://a.klaviyo.com/client/subscriptions/?company_id=PUBLIC_API_KEY' \
     --header 'content-type: application/json' \
     --header 'revision: 2023-12-15' \
     --data '
     ...