Granting Access to an External Developer -- What is the patten?

Our website Developer (Drupal) website, needs to interact with our InfusionSoft instance.

I have an old app in place, just in case we ever started this integration. We are now starting this integration.

I want him to use his own account.

Its not clear to me the pattern here. I have shared the client_id and client_secret from the My Apps area. I have also generated an Authorization Code following the API Access link on the My Apps listing.

However, my developer is unable to make any API calls. He is first trying to get tokens (access tokens and refresh tokens), but is unable to successfully call the api.

Since there is no refresh_url in the Grant Access screen off the My Apps listing, I don’t know what to tell my developer to put in. If he leaves it blank, it fails validation. Putting in a value, resutls in 401 / no access error.

Its not clear to me what the advised pattern is here.

  1. I do not want to create an actual user account in my InfusionSoft instance for my developer.

  2. I have created an app, specifically for the website (Drupal) and InfusionSoft integration.

  3. I have generated an Authorization Code by using the client_id and client_secret from app referenced in #2 above

yet, we cannot seem to connect the dots and get the Drupal / PHP code to actually make REST API calls ? Like fetch tokens.

any thoughts as to what I am missing ?

Thanks in advance,

Here is where I got the Authorization Code for with the client_id coming from the app mentioned in #2 above.

The flow looks like this:

  1. Client ID + Secret → Access Code
  2. Access Code → Refresh Token + Access Token
  3. Access Token lasts for 24 hours, and is used as an “Authentication” = “Bearer {token}” header on all requests to the API.
  4. Refresh Token → new Refresh Token + new Access Token


That is what we are trying to do, but that flow does not work for us.

Can you break it down even further ?

is yoru #1, the Screen shot I attached ? About getting an Authorization Code ?

When our developer uses the API directly, he gets a Developer Inactive error…

when I generate an Authorization Code above, and he calls the get token REST API… he is getting invalid redirect_url … you can see on the screen shot, there is place to enter a redirct_url

Where exactly are you executing #1, for a developer external to your organization ?

Thanks in advance.



One point of clarity …
The emphasis of my query, is on the the outside, Independent Contractor… getting access to my private app …

Not the mechanics of OAUTH protection around API resources.

I have found no way to link other Developer accounts to my App.
I have found no way to link external credentials to my InfusionSoft Instance.
There is no redirect_url that makes (to me), in this authorization flow… (given how I share client_id and client_Secret from that API access screen pasted above

Also trying to figure out how to get this done, we’ve also experimented with the following:

The Developer created a Developer account.

The Developer created an App (in his account)

I tried to generate a “Partner” Authorization Code (via screen above) with his client_id, it fails saying something is wrong with my credentials.

I tried to generate a “Personal” Authorization Code (via scree above) with his client_id and client_secret, but it fails saying something is wrong with my credentials.


You’re firing off a lot of requests there, but it’s pretty straight forward; If you have your own Developer App to use and can generate the Access Code via Account Central, you can give him that Access Code directly to use to retrieve the Tokens.

OAuth2 Authentication - Keap Developer Portal ← Specific endpoint call to exchange the Access Code for Refresh/Access Tokens.
Getting Started with OAuth2 - Keap Developer Portal ← OAuth rundown that shows the steps to establish a connection
Keap REST API ← REST documentation that outlines how to make the actual API calls


I don’t know what to tell you. None of the flows are working.

When I generate an an Authorization Code, using the GUI mentioned above and provide that along with the client_id and client_secret, then the redirect_url parameter is giving him problems on next step (fetch tokens).


He needs gets an error saying Developer Inactive when he tries to do 100% API based with the client_id and client_secret I provide (from the app I created)…and I can find no place in any configuration, that associates his developer account my instance.

OR He gets presented with a login into InfusionSoft App Instance, which he does not have an account. It does not make sense to me, to have to create a real user account for InfusionSoft Front-End, to link our website to our app.

We’ve verified the client_id and client_secret work with Legacy API calls.

So the only thread that I can see where something is amiss, is that something is different with his account.


  1. Generate a personal Authorization Code in Account Central.
  2. Send POST request to{clientId}&client_secret={clientSecret}&code={authorizationCode}&grant_type=authorization_code&redirect_uri={registered app redirect URI}


That was the first thing I tried yesterday and it failed … but I’ll try it again in a little bit, when my developer is back online.

But I will go full Incognito mode, just to be safe …