Authenticate
Learn how to authenticate requests to Klaviyo endpoints.
Klaviyo provides three methods of authentication:
Server-side APIs | Client-side APIs | |
---|---|---|
Private key authentication All /api endpoints use API private keys to authenticate requests. If you do not use an API key for your requests, or if you use a key from the wrong account, your call will return an error. A 400 error indicates an invalid or missing API key. Please refer to this guide for more details on how to generate private keys and use API key scopes. |
OAuth If you are a tech partner integrating with Klaviyo, we recommend using OAuth to authenticate your app. OAuth offers multiple benefits over a private key integration, including security, usability, improved rate limits, and the ability to be listed in Klaviyo's integrations directory. Check out our guide on setting up OAuth. |
Public key authentication All /client endpoints use a public API key: your 6-character company ID, also known as a site ID. We recommend using the Klaviyo object or our Mobile SDKs for interacting with our client-side APIs. |
Private key authentication
Private key authentication for /api
endpoints is performed by setting the following request header:
Authorization: Klaviyo-API-Key your-private-api-key
curl --request GET \
--url https://a.klaviyo.com/api/{endpoint}/ \
--header 'Authorization: Klaviyo-API-Key your-private-api-key' \
--header 'accept: application/json' \
--header 'revision: 2023-12-15'
For your account's security, we strongly recommend never using a private API key with the Client endpoints.
Public key authentication
Client-side API calls only require a public API key, also known as a company_id
, for authentication:
curl --request POST \
--url 'https://a.klaviyo.com/client/subscriptions/?company_id=PUBLIC_API_KEY' \
--header 'content-type: application/json' \
--header 'revision: 2023-12-15' \
--data '
...
OAuth
If you're building an app with Klaviyo, OAuth is a standard you can use to provide secure delegated access to users via access tokens. When setting up OAuth, you can provide designated scopes for each API authorization request you'll want to make.
Updated 6 months ago