OAuth2 Authentication

Request Permission

The first step in the OAuth flow is to redirect the user to Infusionsoft in order to authorize your application for access. The URL you generate here is where you first send your user in order for them to log in and continue the OAuth flow.

Once the user has logged into their Infusionsoft account and authorized your application, they will be redirected back to your application at your specified redirect_uri with a code URL parameter that is used to request an access token.

Redirect users to https://accounts.infusionsoft.com/app/oauth/authorize along with the required parameters in order to start the OAuth exchange.

Parameters

  • client_id
    string
    Application client ID. Found in the developer portal
  • redirect_uri
    string
    This is the callback URL that Infusionsoft will redirect the users back to after authorization (must be HTTPS). Users will not be redirect to any other URLs during the authentication process so it is important to use the site that users can visit and has a script to capture the authorization code.
  • response_type
    string
    The desired grant type, as per the OAuth 2.0 spec. The only current valid value is response_type=code Defaults to code
  • scope
    string
    The scopes required by your application. The only current valid value is scope=full Defaults to full

Request an Access Token

The access_token is the token you will use to authenticate requests to the Infusionsoft API, and it expires after the time in the expires_in field (in seconds). In order to get a new valid access token after one has expired, you must use the refresh_token to request a new access token.

Using the code URL parameter returned from the authorization callback, your application can request an access token and refresh token from Infusionsoft.

Requesting an access token requires you to POST to https://api.infusionsoft.com/token

Note: The content type should be set to application/x-www-form-urlencoded.

Parameters

  • client_id
    string
    Your application’s client ID. Found in the developer portal
  • client_secret
    string
    Your application’s client secret. Found in the developer portal
  • code
    string
    The code returned when the user was redirected back to your application
  • grant_type
    string
    The desired grant type, as per the OAuth 2.0 spec. The only current valid value iss grant_type=authorization_code Defaults to authorization_code
  • redirect_uri
    string
    The redirect URL from the original authorization request

Refresh an Access Token

Provides a new access_token that you will use to authenticate subsequent requests to the Infusionsoft API. Like the originally granted token, this expires after the amount of time in the expires_in field (in seconds). You must use the newly provided refresh_token to request a subsequent new access token. Make sure to also store the new refresh token every time you request and store a new access token.

After your access token expires, you’ll use the refresh token that was provided when your access token was initially granted to request a new access token.

Note: Once a Refresh Token is used to receive a new Access Token, you will be returned a new Refresh Token as well, which will need to be persisted in order to request the next access token.

Refreshing an access token requires you to POST to https://api.infusionsoft.com/token

Note: The content type should be set to application/x-www-form-urlencoded.

Parameters

  • grant_type
    string
    The desired grant type, as per the OAuth 2.0 spec. The only current valid value is refresh_token Defaults to refresh_token
  • refresh_token
    string
    The refresh token provided when the most recent access_tokenwas granted
  • Header:Authorization
    string
    The word “Basic ” (with a space) concatenated with a base64 encoded string of your client_id, a colon, and your client_secret passed via the Authorization header. Example pseudo code: Basic + base64_encode(CLIENT_ID + ':' + CLIENT_SECRET)