API Restrictions & Rate Limits

Hey everyone! I am building an application that integrates with Infusionsoft’s API. My application will be pulling contacts email addresses in real time.

I want to make sure our real time pulling of email addresses does not get our application or our users API account blocked or restricted.

We are using an api url and api key for connection instead of OAuth. Does anyone know what the API rate limits are? Do they vary per Infusionsoft account? Are rate limits based on how many data points we are collecting?


Legacy API limits begin with a pool of 10,000. For every api call made (regardless of what information you get back), one is subtracted from that pool. The pool is replenished at the rate of ~2/second.

Thanks @John_Borelli!

Just so I’m clear. What exactly do you mean by “Legacy”? Is that the name of a specific Infusionsoft account or type of API?

The current api and REST endpoints use OAuth2 protocol for authentication. The only api out there that uses the api key (non oauth) method is the earlier ‘legacy’ api.

Thanks so much @John_Borelli!

Do you happen to know if the Oauth2 protocol has a different rate limit from the “legacy” API?

You would have to look in mashery (where your app/client id/secret are created) to get specifics because it can be adjusted for different levels (though I don’t know the costs involved to do so). It defaults to 25 calls per second and 125,000 calls per day.

Another question just to clarify, do you mean the limits for legacy API are 10,000 api calls per day and ~2 calls per second?

No, they both work differently. The image in the previous message shows for OAuth. Legacy is pool based. So once replenished you have 10000 to work with. Use some and that number goes down. Wait for a period and that number goes up. So the legacy isn’t based on daily limits but rather pool limits/replenishing. The OAuth is based on daily limits or number of calls per second.

The current rate limits and explanation can be found here: Frequently Asked Questions - Keap Developer Portal
under “How does throttling work?”

refresh token generated from this 2017-10-03_0827 will have 10000 calls limits or 125000? I tried to use this token but not working

You don’t use the refresh token for api calls. You have to use the access token. The refresh token is only used to obtain a new access token. Access tokens expire in 24 hours.

Thanks for reply, i am currently using API key method to do different tasks, i was going to switch to OAuth2.0 but not sure which should be use Access token or refresh token, i used both and worked, can you guide me whats the drawback of using refresh token?

Refresh token will not work if you are trying to use it as an access token when making an api call. I would review RFC 6749: The OAuth 2.0 Authorization Framework for getting authorization and making api calls using an access token. You can also look at RFC 6749: The OAuth 2.0 Authorization Framework for using the refresh token to “refresh” your access token. Keap REST API explains how all this works with Infusionsoft. Hopefully that makes sense. Also @John_Borelli has a video I am sure he can post here explaining it all.


We are using the legacy api and it appears to run out of queries after only a less than five thousand calls, and appears to not refresh for 24 hours. Is this a change that’s happened to the legacy API limits?

If you are using a Legacy Key directly against the app instance, no, nothing about that has changed.

If you are using a Legacy Key against the proxy there is a QPS throttle in place that wasn’t available to us via the old method. but those are per-minute, not day.