Skip to content


API can be accessed by authenticated users only. This means that every request must be signed with your credentials. We offer two methods of authentication: API Key and OAuth 2.0. API key is our primary method and should be used in most cases. GetResponse MAX clients have to send an X-Domain header in addition to the API key. Supported OAuth 2.0 flows are: Authorization Code, Client Credentials, Implicit, and Refresh Token.

API key

Follow these steps to send an authentication request:

  • Find your unique and secret API key in the panel:
  • Add a custom X-Auth-Token header to all your requests. For example, if your API key is jfgs8jh4ksg93ban9Dfgh8, the header will look like this:
X-Auth-Token: api-key jfgs8jh4ksg93ban9Dfgh8


For security reasons, unused API keys expire after 90 days. When that happens, you’ll need to generate a new key to use our API.

Example authenticated request

$  curl -H "X-Auth-Token: api-key jfgs8jh4ksg93ban9Dfgh8"

OAuth 2.0

To use OAuth 2.0 authentication, you need to get an "Access Token". For more information on how to obtain a token, head to our dedicated page: OAuth 2.0

To authenticate a request using an Access Token, set the value of Authorization header to "Bearer" followed by the Access Token.


If the Access Token is jfg93baDfgh8n9Ds8jh4ksg93ban9Dfgh8

Authorization: Bearer jfg93baDfgh8n9Ds8jh4ksg93ban9Dfgh8

GetResponse MAX

GetResponse MAX customers need to take an extra step to authenticate the request. All requests have to be sent with an X-Domain header that contains the client's domain. For example:


Please note that the header must contain only the domain name, without the protocol identifier (http:// or https://).