Legacy Key Migration

As Keap phases out Legacy Keys we have worked to make it simple to keep your integrations functioning.

What is a Legacy Key?

Legacy Keys are our first form of API authentication. They were the single API key for a given Infusionsoft/Keap application, which all API consumers used to access that application’s data.

Why are we migrating from Legacy Keys?

Legacy Keys have several security problems that we need to address, including:

  • The key is always visible in the UI, allowing anyone who can see it to use it indefinitely
  • All consumers use the same key, making it impossible to determine individual traffic
  • Having a single key means having to rotate that key everywhere in case of compromise
  • The Legacy Key allowed access that bypasses our API proxies, preventing us from implementing more advanced traffic controls which are necessary for system performance

If: You use PHP to integrate

We have released a new version of our PHP SDK that supports an APIKey parameter, and your existing Legacy Key will continue to be functional via this authentication method.

You can also generate a new SAK (Service Account Key) in your Keap app and use that instead in the same manner, retiring your Legacy Key in favor of our current authentication methods to future-proof your integration, as we do plan to revoke all Legacy Keys in Q1 2025.

If: You use another language to integrate

You can continue to use your Legacy Key to make calls against the Keap API for now, but will have to make some minor alterations to your calls.

First, all calls must be routed to the main API endpoint, changing from:
https://YourInstanceId.infusionsoft.com/api/xmlrpc/v1
to:
https://api.infusionsoft.com/crm/xmlrpc

You will then need to change how you are sending your key to be a Header on the request, rather than a part of the XML POST body:
X-Keap-API-Key: YourLegacyKey

You can also generate a new SAK (Service Account Key) in your Keap app and use that instead in the same manner, retiring your Legacy Key in favor of our current authentication methods to future-proof your integration, as we do plan to revoke all Legacy Keys in Q1 2025. If you choose to do so, you can instead pass the SAK as a Bearer token (similar to JWT or OAuth) so that you don’t have to implement custom headers:
Authorization: Bearer YourSAK

While every code update will be different, the following examples show how to use the Keap XML/RPC with both the old and new ways of calling Keap.
Select your desired language to see examples:

If: You are a third-party integrator

We require that third-party integrators use our OAuth2 Bearer tokens, for security and scalability. You can find complete instructions on our OAuth2 documentation page.

Timeline

Update PHP SDK to support Legacy Keys April 2024
Initial notification of migrationJune 10th, 2024
Live Q&A SeminarJune 13th
Email ReminderJuly 1st, 2024
Legacy Key creation disabled if not already in placeJuly 10th, 2024
Email ReminderAugust 1st, 2024
Email ReminderOctober 1st, 2024
Black-out dateOctober 31st, 2024

Conclusion

If you have questions regarding implementing these changes you can find support from other developers on our Integration community, or with Keap API Support team through our developer ticketing system.