Currently, there are three ways for users to authenticate and authorize third-party apps to access their Infusionsoft accounts. In an effort to provide developers with better metrics around your API calls and make it easier for customers to grant access to their Infusionsoft account, we are transitioning to OAuth 2.0.
We encourage you to adopt OAuth 2.0 for your apps and integrations as soon as possible. Doing so future-proofs your app and yields a number of benefits, which are explained below.
The three authentication methods developers can use in their solutions are:
Account-level API Access – This requires users to know their account name and supply the API key relevant to their account. Account-level API keys are shared with multiple apps/integrations which makes it impossible to revoke access for just one app/integration. If the user changes their API key all apps/integrations using that key are impacted. We will be sunsetting account-level keys in the future and will announce the official cutoff with ample time to transition your apps to OAuth.
Vendor Key API Access – These keys allow developers to access an Infusionsoft application with a customer’s username and password. Vendor keys were an improvement to account-level keys, but they still have drawbacks. 1) They required developers to store a customer’s sensitive username and password and 2) when a customer changes their password, any apps or integrations using vendor keys no longer work until they get updated with the new credentials.
Starting July 1, 2014, no new Vendor Keys will be issued. However, existing vendor keys will continue function to function. We will be sunsetting Vendor Keys in the future and will announce the official cutoff with ample time to transition your apps to OAuth.
OAuth 2.0 API Access – This is the new standard authentication method for Infusionsoft apps. OAuth 2.0 is the standard used by most modern APIs including Facebook, Google, Stripe, Shopify and countless others. OAuth will provide a streamlined authentication process for our customers, allow customers to view/revoke access for specific apps/integrations and provide developers with a simplified authentication method as well as more metrics about the applications you create.
Changes to API Throttles
Account-level and Vendor keys operate on a shared API throttling model and don’t provide any visibility into your API usage. API metrics can be very important when you want to know if you’re approaching a throttle. They can also help you troubleshoot performance issues within your app.
By using OAuth 2.0, your apps are throttle independently of one another. When you switch to OAuth, your apps are throttled at the application level and we are able to modify this throttle on a per app or per developer basis. To accomplish this change we are using an API Proxy service that, in addition to providing fine-grained throttling controls, also offers robust reporting tools for API usage.
Why do we have OAuth 2.0 when the other two authentication methods work just fine?
The long-term plan is that the only authentication option for Infusionsoft apps and integrations will be OAuth 2.0. We don’t have a date when this will occur, but when we do, we’ll give all users and developers plenty of time to migrate. Expect that this migration will be graceful, developer-friendly and fair to all those who access our API.
If you’re creating apps or other API solutions with Infusionsoft, build for the future with OAuth 2.0. This will save you time and reassure your users that everything is current and up to date.
If you find that you need to increase to your API throttle (limit), please email <firstname.lastname@example.org> and we’ll review your request. We are still monitoring API usage across the board to determine what “normal” API throttles look like. The more developers that switch to OAuth 2.0, the more data we’ll have to set throttles appropriately. Thanks for your patience and understanding.
» Read more about using OAuth2 with Infusionsoft in our documentation.
» If you haven’t done so already, register with the Developer Center to create API keys for your apps.