Authentication
API can be accessed by authenticated users only. This means that every request must be signed with your credentials. We offer two methods of authentication: API Key and OAuth 2.0. API key is our primary method and should be used in most cases. GetResponse MAX clients have to send an X-Domain
header in addition to the API key. Supported OAuth 2.0 flows are: Authorization Code, Client Credentials, Implicit, and Refresh Token.
API key
Follow these steps to send an authentication request:
- Find your unique and secret API key in the panel: https://app.getresponse.com/api
- Add a custom
X-Auth-Token
header to all your requests. For example, if your API key isjfgs8jh4ksg93ban9Dfgh8
, the header will look like this:
X-Auth-Token: api-key jfgs8jh4ksg93ban9Dfgh8
WARNING
For security reasons, unused API keys expire after 90 days. When that happens, you’ll need to generate a new key to use our API.
Example authenticated request
bash
$ curl -H "X-Auth-Token: api-key jfgs8jh4ksg93ban9Dfgh8" https://api.getresponse.com/v3/accounts
OAuth 2.0
To use OAuth 2.0 authentication, you need to get an "Access Token". For more information on how to obtain a token, head to our dedicated page: OAuth 2.0
To authenticate a request using an Access Token, set the value of Authorization
header to "Bearer" followed by the Access Token.
Example
If the Access Token is jfg93baDfgh8n9Ds8jh4ksg93ban9Dfgh8
Authorization: Bearer jfg93baDfgh8n9Ds8jh4ksg93ban9Dfgh8
GetResponse MAX
GetResponse MAX customers need to take an extra step to authenticate the request. All requests have to be sent with an X-Domain
header that contains the client's domain. For example:
X-Domain: example.com
Please note that the header must contain only the domain name, without the protocol identifier (http://
or https://
).
X-Parent-Login header
A user can be in one or more accounts (parent accounts). The X-Parent-Login
header allows you to limit API requests to a specific parent account.
For example, a user is assigned to two parent accounts with logins: abc@getresponse.com
and xyz@getresponse.com
.
If the X-Parent-Login: abc@getresponse.com
header is set in API requests, they'll be made only for the parent account with the loginabc@getresponse.com
.
If a request is made with the header X-Parent-Login: xyz@getresponse.com
, it will return information only for the parent account with the login xyz@getresponse.com
.