How to get access token

I’m trying to create a pretty simple workflow where every time a user registers for our product, we automatically add them as a contact on Keap and send them a Welcome Email using Keap.

I am struggling to get the right Access Token that I should be putting in my authorization header (e.g. Authorization: Bearer 123abc).

I tried using the access tokens from here and putting them into the authorization header but it’s giving me an invalid access token error.

Here is other place where I can find to get the clientID and clientSecret from:

But it looks like, if I follow the instructions here: Getting Started with OAuth2 - Keap Developer Portal, that that user would have to log in every time and authorize access to Keap? But since I want to automatically add users as contacts on Keap and send them Welcome Emails, having a user log in and authorize access wouldn’t work.

What’s the right way to automatically get the right access tokens to in my authorization header (e.g. Authorization: Bearer 123abc)? Thanks!

The most common pattern is your application code will forward the user to authorize their Keap instance, then they get forwarded back to your application with the Authorization Code. You can then trade that Authorization Code for a Refresh Token and an Access Token.

The Access Token is valid for 24 hours, but the Refresh Token is valid for 45 days. Once the Access Token is expired, you can use the Refresh Token to get a new Access Token, and you will receive a new Refresh Token to store that allows you to repeat the process indefinitely (until either allowed to expire or the user removes access).

Many developers additionally institute a cron or similar and store the expiration date of the Refresh Token, and make sure that they refresh any token > 30 days or so, which means that even if the user hasn’t been needing to make calls for a while the Refresh Token stays fresh and can be used without having to re-authorize.

Perfect, thank you — this is super helpful! What is the purpose of the Personal Access Tokens and the Service Account Keys then?

They are to allow users to write their own scripts to directly access their data, rather than a third-party doing so. They are thus more limited in terms of allowed access per the ToS and the quotas assigned.

Can you explain please what do you mean by the above?
I don’t see any API call in the documentation that can generate a new access/refresh token?

@George_K ,

Getting Started with OAuth2 - Keap Developer Portal describes the OAuth2 Access Code Authorization Flow with calls and parameters. Specifically, note the Refresh Request section:

Provides a new access_token that you will use to authenticate subsequent requests to the Keap API. Like the originally granted token, this expires after the amount of time in the expires_in field (in seconds). You must use the newly provided refresh_token to request a subsequent new access token. Make sure to also store the new refresh token every time you request and store a new access token.

After your access token expires, you’ll use the refresh token that was provided when your access token was initially granted to request a new access token.

Note: Once a Refresh Token is used to receive a new Access Token, you will be returned a new Refresh Token as well, which will need to be persisted in order to request the next access token.