First party API access

My company has chosen Infusionsoft as our CRM and we need to be able to do server-to-server communication with the Infusionsoft API. The OAuth 2.0 spec allows for client_credential grant types to allow for server-to-server first party application communication. Does the Infusionsoft REST API support this? If not, this may be a show stopper for us and will require us to seek out a different CRM provider.

To be clear, we are not developing an application for the Infusionsoft Marketplace. This is solely to allow our server application to access information within our own Infusionsoft account. If client_credential grant types are not supported, what is the recommended way to handle this scenario?

Hi @Scott_Bennett, have a look at these prior conversations. I think it should get you going. If not, come back and let us know!

Thank you for those links. I had reviewed those threads already and I also found this article on your site: Making OAuth Requests Without User Authorization - Keap Developer Portal

I guess I was just hoping for a different answer at this point or some indication that there was some movement on this.

This scenario is pretty clearly provided for by the OAuth 2.0 spec by supporting the client_credential grant type. A Guide To OAuth 2.0 Grants - Alex Bilbie

I find it hard to believe that the answer to server-to-server communications is to have someone from our team remember to manually go in every 9 months and generate a new access/refresh token. Could you imagine if AWS required that to access resources? What happens when (not if, when) someone forgets to go in and generate a new refresh token?


I understand the frustration. We have some technical limitations around using the Client Credentials Grant that we have been working at removing. We have also started work on Personal Access tokens that are scoped to a specific application and user (similar to GitHub). We hope to have some news on this very soon.

Also for the standard Authorization Grant that we use now, you should not have to manually do anything after the first authorization. Not sure where the 9 months is coming from but Access Tokens are good for 24 hrs and the Refresh Token is good for 6 months. When the Access Token is refreshed a new Refresh Token is issued with another 6 month expiration. So if you are refreshing everyday you can go forever without user interaction.

1 Like

Ok. Glad to hear there is plans to support other authentication methods than Authorization Code grant types. Any timeframe around when we might see those?

As far as the Authorization Grant workflow, I just want to be clear, if I use the Refresh Token to generate a new Access Token, are you saying that I will also receive a new Refresh Token with another 6 month expiry? I ask because I wasn’t aware that was how those are supposed to work. My assumption was the Refresh Token was granted once upon initial authorization. If I’m wrong, then yes, we could probably use that as a work around until such time as you guys support additional authentication schemes.

Exactly correct on the refresh token. Refresh tokens are single use, so you will get a new one each time. There personal access tokens is being worked on right now.

Still no way to do a long lived token that is a secret for server to server communication?

Having a stateless component that does work is not possible under the current pattern, unless using the legacy api, which doesn’t have all of the new functions.

Is there any progress on this?
Have you been able to implement OAuth2.0 client_credential grant types?

1 Like