As Keap phases out Legacy Keys we have worked to make it simple to keep your integrations functioning.
What is a Legacy Key?
Legacy Keys are our first form of API authentication. They were the single API key for a given Infusionsoft/Keap application, which all API consumers used to access that application’s data.
Why are we migrating from Legacy Keys?
Legacy Keys have several security problems that we need to address, including:
- The key is always visible in the UI, allowing anyone who can see it to use it indefinitely
- All consumers use the same key, making it impossible to determine individual traffic
- Having a single key means having to rotate that key everywhere in case of compromise
- The Legacy Key allowed access that bypasses our API proxies, preventing us from implementing more advanced traffic controls which are necessary for system performance
If: You use PHP to integrate
We have released a new version of our PHP SDK that supports an APIKey parameter, and your existing Legacy Key will continue to be functional via this authentication method.
You can also generate a new SAK (Service Account Key) in your Keap app and use that instead in the same manner, retiring your Legacy Key in favor of our current authentication methods to future-proof your integration, as we do plan to revoke all Legacy Keys in Q1 2025.
If: You use another language to integrate
You can continue to use your Legacy Key to make calls against the Keap API for now, but will have to make some minor alterations to your calls.
First, all calls must be routed to the main API endpoint, changing from:
https://YourInstanceId.infusionsoft.com/api/xmlrpc/v1
to:
https://api.infusionsoft.com/crm/xmlrpc
You will then need to change how you are sending your key to be a Header on the request, rather than a part of the XML POST body:
X-Keap-API-Key: YourLegacyKey
You can also generate a new SAK (Service Account Key) in your Keap app and use that instead in the same manner, retiring your Legacy Key in favor of our current authentication methods to future-proof your integration, as we do plan to revoke all Legacy Keys in Q1 2025. If you choose to do so, you can instead pass the SAK as a Bearer token (similar to JWT or OAuth) so that you don’t have to implement custom headers:
Authorization: Bearer YourSAK
If: You are a third-party integrator
We require that third-party integrators use our OAuth2 Bearer tokens, for security and scalability. You can find complete instructions on our OAuth2 documentation page.
Timeline
| Update PHP SDK to support Legacy Keys | April 2024 |
| Initial notification of migration | June 10th, 2024 |
| Live Q&A Seminar | June 13th |
| Email Reminder | July 1st, 2024 |
| Legacy Key creation disabled if not already in place | July 10th, 2024 |
| Email Reminder | August 1st, 2024 |
| Email Reminder | October 1st, 2024 |
| Black-out date | October 31st, 2024 |
Conclusion
If you have questions regarding implementing these changes you can find support from other developers on our Integration community, or with Keap API Support team through our developer ticketing system.