Making OAuth Requests Without User Authorization

Languages: Any | Difficulty: Easy


Many applications these days require the ability to manipulate an Keap account as an “application”, rather than on behalf of a single user. One of the most common examples is adding new users as contacts to your internal Keap account.

Suppose you have a web application called ButtonPush that allows users to push a button. They create an account with you by entering their own username and password, and once logged in can push a button as many times as they wish. You want to accomplish two things:

  1. Whenever someone signs up, add them to your internal ButtonPush Keap account
  2. Whenever someone presses a button for the first time, add a tag to their user profile titled "buttonpushed"

With a simple key-based API, this is simple - you'd store your API key as an environment variable in your codebase and make a request to your own Keap account via the API to perform the contact creation request. With OAuth, however, things get a bit more complicated. This tutorial is going to walk you through some basic concepts to build the Keap OAuth flow into your application's Admin panel using the PHP SDK.

Please note that this tutorial covers integrating a single Keap account. If you need to allow users to implement their own Keap account, follow our tutorial on OAuth.

Next: Setup The Application

Setup The Application

We'll assume your application already exists, and you have your core application logic built and also have some sort of administration panel that only you can see. You'll want a place to put your authorization link and view the status of your Keap connection.
Next: Create a way to store your Infusionsoft OAuth Token

Create a way to store your Infusionsoft OAuth Token

In the next step we're going to be performing some simple commands to retrieve an Keap Authorization Token, but before we do that we need to be able to store the token.

If your application has a concept of "settings" at the administrator level, we recommend that you store your Keap Token along with other settings - things like your root URL and other default values that apply to the system as a whole.

If you don't have any concept of settings, you can store your token pretty much anywhere - in your database in a new table named "system_settings", or a text file that's outside of the root directory of the application. This is important so that no one can ever find your token.

Next: Integrate the Infusionsoft API

Integrate the Infusionsoft API

No matter what language you use, you'll be integrating Keap and authenticate via OAuth just like any other scenario.

The difference is that you only need to store your token once, and set it up to auto renew every time you make a request. This means you can access the Keap API globally within your application, and don't have to worry about storing access and refresh tokens on an individual user record - just keep them saved in your settings table.

Next: Make a request

Make a request

At this point, you should be all set to make a request. By now, you should have:

  • Created a link to authenticate with Keap accessible only from your admin panel
  • Built the OAuth functionality in so that after authenticating your access and refresh token are saved in your settings table

When you have a new signup, you can simply make a request to Infusionsoft to add a contact to your application. Infusionsoft will respond with their Contact ID, which you can save on the user record within your application.

When someone presses the button in your application, you can retrieve their Infusionsoft Contact ID from your user store, and then make a request to Infusionsoft to add a "buttonclicked" tag.

Next: As you go: Refresh the Access Token

As you go: Refresh the Access Token

To maintain the ability to access Keap without the user needing to authorize access again we suggest doing the following:

  • Run a cron job three hours before the access token expires
  • Base the cron job off of the expires_in amount returned with an access token is granted.
  • Currently the access token expires every 24 hours which means the refresh should happen every 21 hours

Please note that Refresh tokens are no longer able to be used if one of the following criteria happens:

  • The refresh token is used.
  • The refresh token is older then 45 days.


8 thoughts on “Making OAuth Requests Without User Authorization

  • Two comments, which I’ll keep relatively brief.

    1. Why provide a comment form here? There’s an active Facebook community as well as an existing developer forum on Infusionsoft community. Inviting people to comment here only seems to serve to fragment those efforts at building a developer community and minimize the chance that the commenter gets a response.

    2. A “tutorial” without a single code snippet struggles to meet the definition of “tutorial”, IMHO.

  • It’s nice to have commentary within the context of something specific – lots of times people will refer to something in the docs or a tutorial and it takes awhile to figure out exactly what’s being referred to.

    As far as it being a tutorial without code, why does it have to have code? This tutorial is an extremely common usage pattern that many Infusionsoft developers have had questions about, and it’s important to understand the fundamental development pattern being expressed prior to jumping in and coding, especially when one is new to OAuth.

  • This has to be the most uninformative tutorial I have ever read. It’s safe to assume developers already understand what an API, App and Auth tokens are and they interact with each other in a general sense – the only reason they’d be reading this, like myself, is to understand the subtle nuances in code that need to be followed to get it working.

  • I am trying to connect to InfusionSoft through the API but i am getting this messages: error_description=User+denied+access+to+resource’

  • What’s the need for user authorization in the first place? We already have client keys. Your API implementation is peculiar.