Authenticate
Learn how to authenticate requests to Klaviyo's two sets of endpoints.
All /api endpoints use API private keys to authenticate requests. If you do not use an API key for your requests, or if you use a key from the wrong account, your call will return an error. A 400 error indicates an invalid or missing API key.
Please refer to this guide for more details on how to generate private keys and use API key scopes.
All /client endpoints use a public API key: your 6-character company ID, also known as a site ID.
If you are a tech partner integrating with Klaviyo, we recommend using OAuth to authenticate your app. OAuth offers multiple benefits over a private key integration, including security, usability, and improved rate limits. Check out our guide on setting up OAuth for more information.
Private key authentication
Private key authentication for /api endpoints is performed by setting the following request header:
Authorization: Klaviyo-API-Key your-private-api-key
curl --request GET \
--url https://a.klaviyo.com/api/{endpoint}/ \
--header 'Authorization: Klaviyo-API-Key your-private-api-key' \
--header 'accept: application/json' \
--header 'revision: 2023-12-15'
For your account's security, we strongly recommend never using a private API key with the Client endpoints.
Public key authentication
Client-side API calls only require a public API key, also known as a company_id, for authentication:
curl --request POST \
--url 'https://a.klaviyo.com/client/subscriptions/?company_id=PUBLIC_API_KEY' \
--header 'content-type: application/json' \
--header 'revision: 2023-12-15' \
--data '
...
Updated 6 months ago