Raw PHP Back to Top

Introduction

One of the hidden gems in the Keap suite of software is the API. The Keap API enables third-party applications to communicate with Keap and process, update, and destroy data for a wide variety of uses. You can do things like manage contacts, place orders, send messages, and most other things available for use in the Keap software.

Helper Libraries

Keap officially supports the PHP library we created in-house. In addition, there are a number of third party helper libraries created by members of the community that may be useful to you. Many of these libraries are open source, so we encourage you to get into contact with their creators if you find bugs or have ideas for feature requests.

See Available Helper Libraries

Authentication

The Keap API uses a fairly standard implementation of OAuth 2.0 in order to provide authentication to all API endpoints. In the past, the Infusionsoft API has relied on a simple token based system; while those tokens will remain active until some date in the future for the XML-RPC API, any new implementations and all requests to the REST API will be required to use OAuth 2.0. Rather than re-explain OAuth again, it is more useful to provide a series of documents that have already been created and demonstrate the OAuth protocol, how to implement it in your code, how to troubleshoot, and how to ease development. Before that, though, it is important to have the authorization destinations and necessary details.

Request Permission

The first step in the OAuth flow is to redirect the user to Keap in order to authorize your application for access. The URL you generate here is where you first send your user in order for them to log in and continue the OAuth flow.

Redirect users to https://signin.infusionsoft.com/app/oauth/authorize along with the required parameters in order to start the OAuth exchange.


Form Parameters

client_id:
string (required)

Application client ID. Found in the developer portal

redirect_uri:
string (required)

This is the callback URL that Infusionsoft will redirect the users back to after authorization (must be HTTPS). The redirect_uri must be a registered URL in your application. We will not redirect users to any other URLs, so it is important this be properly setup before any authentication attempts.

response_type:
string (required)

The desired grant type, as per the OAuth 2.0 spec. The only current valid value is response_type=code Defaults to code

scope:
string

The scopes required by your application. The only current valid value is scope=full Defaults to full


Returns

Once the user has logged into their Keap account and authorized your application, they will be redirected back to your application at your specified redirect_uri with a code URL parameter that is used to request an access token.


GET https://signin.infusionsoft.com/app/oauth/authorize
Begins the OAuth flow by asking the user to choose an Infusionsoft account to authenticate with.


curl https://signin.infusionsoft.com/app/oauth/authorize


require("../../src/isdk.php");

$app = new iSDK();
$app->setClientId('CLIENTID');
$app->setSecret('CLIENTSECRET');

echo "<p>Click the link below to allow my application to access your Infusionsoft application.</p>";
echo '<a href="'.$app->getAuthorizationURL().'">Authorize My Application</a>';


$url = $infusionsoft->getAuthorizationUrl();
echo '<a href="' . $url . '">Click here to authorize</a>';

Request an Access Token

Using the code URL parameter returned from the authorization callback, your application can request an access token and refresh token from Keap.

Requesting an access token requires you to POST to https://api.infusionsoft.com/token


Form Parameters

client_id:
string (required)

Your application's client ID. Found in the developer portal

client_secret:
string (required)

Your application's client secret. Found in the developer portal

code:
string (required)

The code returned when the user was redirected back to your application

grant_type:
string (required)

The desired grant type, as per the OAuth 2.0 spec. The only current valid value is grant_type=authorization_code Defaults to authorization_code

redirect_uri:
string (required)

The redirect URL from the original authorization request


Returns

The access_token is the token you will use to authenticate requests to the Keap API, and it expires after the time in the expires_in field (in seconds). In order to get a new valid access token after one has expired, you must use the refresh_token to request a new access token.


curl https://api.infusionsoft.com/token -X POST -d card=token_id


{
    "token_type": "bearer",
    "access_token": "axxxxx",
    "expires_in": 3600,
    "refresh_token": "rxxxxx",
    "scope":"full|example.infusionsoft.com"
}


require("../../src/isdk.php");

$app = new iSDK();

if(isset($_GET['code'])){
    $app->setClientId('CLIENTID');
    $app->setSecret('CLIENTSECRET');
    $app->authorize($_GET['code']);

    $app->refreshAccessToken();
}


$infusionsoft->requestAccessToken($_GET['code']);

Refresh an Access Token

After your access token expires, you'll use the refresh token that was provided when your access token was initially granted to request a new access token.

Note: Once a Refresh Token is used to receive a new Access Token, you will be returned a new Refresh Token as well, which will need to be persisted in order to request the next access token.

Refreshing an access token requires you to POST to https://api.infusionsoft.com/token


Form Parameters

grant_type:
string (required)

The desired grant type, as per the OAuth 2.0 spec. The only current valid value is refresh_token Defaults to refresh_token

refresh_token:
string (required)

The refresh token provided when the most recent access_token was granted

Header: Authorization:
string (required)

The word "Basic" concatenated with a base64 encoded string of your client_id, a colon, and your client_secret passed via the Authorization header.

Example pseudo code: 'Basic ' + base64_encode(CLIENT_ID + ':' + CLIENT_SECRET)


Returns

Provides a new access_token that you will use to authenticate subsequent requests to the Infusionsoft API. Like the originally granted token, this expires after the amount of time in the expires_in field (in seconds). You must use the newly provided refresh_token to request a subsequent new access token.

Make sure to also store the new refresh token every time you request and store a new access token.


POST /token
$infusionsoft->refreshAccessToken();


$infusionsoft = new InfusionsoftInfusionsoft(array(
    'clientId' => 'CLIENT_ID',
    'clientSecret' => 'CLIENT_SECRET',
    'redirectUri' => 'REDIRECT_URL',
));

// retrieve the existing token object from storage
$infusionsoft->setToken($yourStoredToken);

$infusionsoft->refreshAccessToken();


POST /token
$infusionsoft->refreshAccessToken();


$infusionsoft = new InfusionsoftInfusionsoft(array(
    'clientId' => 'CLIENTID',
    'clientSecret' => 'CLIENTSECRET',
    'redirectUri' => 'https://example.com/callback',
));

// retrieve the existing token object from storage
$infusionsoft->setToken($yourStoredToken);

return $infusionsoft->refreshAccessToken();