Authenticate
Learn how to authenticate requests to Klaviyo endpoints.
Klaviyo provides three methods of authentication:
- Private key authentication
All/apiendpoints use API private keys to authenticate requests. If you do not use an API key for your requests, or if you use a key from the wrong account, your call will return an error. A400error indicates an invalid or missing API key. Please refer to this guide for more details on how to generate private keys and use API key scopes. - Public key authentication
All/clientendpoints use a public API key: your 6-character company ID, also known as a site ID. - OAuth
If you are a tech partner integrating with Klaviyo, we recommend using OAuth to authenticate your app. OAuth offers multiple benefits over a private key integration, including security, usability, and improved rate limits. Check out our guide on setting up OAuth.
Private key authentication
Private key authentication for /api endpoints is performed by setting the following request header:
Authorization: Klaviyo-API-Key your-private-api-key
curl --request GET \
--url https://a.klaviyo.com/api/{endpoint}/ \
--header 'Authorization: Klaviyo-API-Key your-private-api-key' \
--header 'accept: application/json' \
--header 'revision: 2023-12-15'
For your account's security, we strongly recommend never using a private API key with the Client endpoints.
Public key authentication
Client-side API calls only require a public API key, also known as a company_id, for authentication:
curl --request POST \
--url 'https://a.klaviyo.com/client/subscriptions/?company_id=PUBLIC_API_KEY' \
--header 'content-type: application/json' \
--header 'revision: 2023-12-15' \
--data '
...
OAuth
If you're building an app with Klaviyo, OAuth is a standard you can use to provide secure delegated access to users via access tokens. When setting up OAuth, you can provide designated scopes for each API authorization request you'll want to make.
Updated 24 days ago