How do I avoid the "Click here to authorize" when my users are on my system?

I’m developing in PHP and have already installed the SDK and have been able to pull data from Contacts, etc.
But I’m confused about getting authorization to run my functions for my users. It’s one thing in development for me to “Click here to authorize” and then to log into Infusionsoft and allow, etc. and then to proceed with my function. Obviously, this won’t work for my many users who will need the same functionality. So, how do I set things up so that when we go live, and a user needs to pull data through the SDK routines, they will not be stopped in their tracks to “Click here to authorize”? Thanks!

Are you developing this application as a third-party to connect to multiple Keap API instances, or a first party to utilize your own data in your own system?

Our client uses Keap internally for their CRM and they use our application along with all of their customers to manage other aspect of their operation. They want each user on our app to be able to pull data from Keap at certain times. Through our RBAC we mange who sees what.

If you are only requiring a single, administrative user to authorize the transaction and are controlling access to what is retrieved on the far side by some local account management you can follow the OAuth2 flow a single time, retrieve your Refresh Token and Access Token, then use them in perpetuity to access data through that one Keap User’s grant.

The only time you would need to authorize additional Keap Users is if you wanted access to their account data as well, which would necessitate getting authorization from them.


Ok. I think I get that. My only other question then is this…What does my cronjob, that runs every 20 hours to refresh the access token, actually do? It is an API call or can I use the SDK? I’m fuzzy on how to do the refresh?

I assume that once I get the access token initially, and then when I refresh each 20 or so hours, that I will store those tokens in the db and then automate everything. But I’m still not sure about all the working parts.

Kind Regards,

Robert DeVargas, PhD

Project Coordinator

o: 1-866-8-ETERNAL (866-838-3762)

f: 1-866-617-2453


The flow I generally advise is:

  1. Store the Refresh Token in persistent storage along with the expiration date (which should be 45 days)
  2. Store Access Token in an in-memory cache along with the expiration date (which should be 24 hours)
  3. Make calls with the Access Token until it expires (or time-to-expire is ~1h or so)
  4. Pull the Refresh Token from storage, call the /token endpoint to refresh it, store the new Refresh Token and Access Token

5ish. A cron job is only required if you expect long periods of time for inactivity of the above process, as each time the Refresh Token is called to get a new Access Token the 45 day timer resets.

Right, so Step #4…refreshing…technically, how is this done? Is there an SDK function? Or is this a pure API call? I need documentation, I guess is what I’m saying

Hi Tom, when does the new PAT and SAT token auth will be released ? There is a ton of overhead for implementing such an advanced refreshing mechanism just for using simple API calls. Permanent API keys are absolutely needed for internal/custom developments. Looking forward…

The documentation is public (----) but where are the features ?

Those features are currently in Alpha testing, and the documentation is currently not linked from our site because it is subject to change without notice.

Technically, how do I refresh the tokens? Is there an SDK function? Or is this an API call?

The OAuth2 docs are at Getting Started with OAuth2 - Keap Developer Portal, I’m not sure if the SDK you are using has a custom method for it, but most do:

Refreshing an access token requires you to `POST` to ``
**Note**: The content type should be set to `application/x-www-form-urlencoded`.

Gotcha. I’m using the PHP SDK and am able to get the initial token and pull data, no problem. I just didn’t know if there was an SDK function to do the refresh. I’ll just to the API call then. Thanks.

Robert, you will need to refresh that token by building a script on your side to periodically call IFS API and get a new key each 20h~ or so, otherwise you will not be able to receive any data after the key expires in 24h.

Thanks. I’m just trying to figure out if I can do that using the PHP SDK functions or not.

Also, what’s the difference between the 24 hour end-of-life and the 45 day expiration?

You have access token and refresh token. Initial auh needs user input (yours) to login and provide oauth access, then using the refresh token you can regenerate the access token before this expires so that way you extend the life of your authorisation without any additiinal user input. Follow the docs and learn more about oauth mechanism.

By the way, the function I was looking to refresh the token is $infusionsoft->refreshAccessToken(); No need to use an API with the SDK. This was easy. I just wish I could’ve found this in the documentation.

1 Like