How to get started with API Authentication

We have a new infusionsoft account, and I’ve created an account on The documentation is lacking on how to get started. When I tried to use the sample .net application to simply authenticate it tells me Invalid Configuration…please contact Support. I called support, and they said they don’t know anything about the API.


  1. How do I authenticate to our infusionsoft account?
  2. How is the developer account and the regular infusionsoft account linked together?
  3. What should the application value be below? On the developer side I can set the application name to be whatever, but I don’t see how that ties back to our infusionsoft account.

Here is my sample code where I was trying to authenticate:
private static void LegacyAuth()
const string application = “”;
const string apiKey = “”;

        var customer = new Customer(application, apiKey);
        var client = customer.Connect();

        client.MethodListener = new ConsoleMethodListener();

        //UPDATE a contact
        Console.Out.WriteLine(client.ContactService.Update(4393, setter =>
                setter.Set(c => c.FirstName, "Joe");
                setter.Set(c => c.LastName, "Bobertson");


So I was able to get the XML service working by using postman. However, when I try to do the same things through the sample .net application I get this exception:

An unhandled exception of type ‘CookComputing.XmlRpc.XmlRpcInvalidXmlRpcException’ occurred in CookComputing.XmlRpcV2.dll

Additional information: Response XML not valid XML-RPC - root element not methodResponse.
Here is the code I’m using, using OAuth2:

    private static void OAuth()
        const string application = "";
        const string accessToken = "";

        var customer = new OAuthCustomer(application, accessToken);
        var client = customer.Connect();

        var users = client.DataService.Query<User>();

        var currentUser = client.DataService.GetUserInfo();

        //UPDATE a contact
        Console.Out.WriteLine(client.ContactService.Update(4393, setter =>
            setter.Set(c => c.FirstName, "Joe");
            setter.Set(c => c.LastName, "Bobertson");


Also, is there a way to have a token that is permanent? I have a website where my customers contact information will be updated. I need to be able to update contacts in infusionsoft as it occurs on our site. Very inconvenient if I have to create a service that re-creates the token every day.

@Ben_Anderson I see you are using .NET. We don’t have a sample yet for using OAuth2 with .NET but one of our partners wrote up a blog article on how to do it a while back.

Take a look at this and let me know if you have any additional questions.

Thank you. That helps some. I can get that sample to sort of work. I had to create an access token in postman because in the sample app in this blog infusionsoft doesn’t return a “code” back to the callback. So the sample app doesn’t ever create a token. When I use the token I created in postman it works.

However, when I try to get a new access token I’m unable to get that to work. Below is my code:

            string tokenUrl = "" +

            HttpWebRequest request = HttpWebRequest.Create(tokenUrl) as HttpWebRequest;
            request.Method = "POST";
            request.KeepAlive = true;
            request.ContentType = "application/x-www-form-urlencoded";

            string authorizationHeaderText =
                Convert.ToBase64String(Encoding.UTF8.GetBytes(DeveloperAppKey + ":" + DeveloperAppSecret));
            request.Headers[HttpRequestHeader.Authorization] = authorizationHeaderText;

            string resultJSON = string.Empty;
            using (WebResponse response = request.GetResponse())
                var sr = new StreamReader(response.GetResponseStream());
                resultJSON = sr.ReadToEnd();

            var jsonSerializer = new JavaScriptSerializer();

            var tokenData = jsonSerializer.Deserialize<TokenData>(resultJSON);

        catch (Exception exception)

When I run this I get a 401 Unauthorized even though I’m using a valid access token that works in the sample app.

  1. What am I doing wrong in the code above?
  2. Can I make calls to the infusionsoft api from my web api project without having to authorize and login every time?

HI, I think you need change:

request.Headers[HttpRequestHeader.Authorization] = authorizationHeaderText;
request.Headers[HttpRequestHeader.Authorization] = "Basic " + authorizationHeaderText;



When trying to just initially get the code that will be used to get an access token, I am getting a “Response for preflight is invalid (redirect)” error… I am supplying these as headers:

Shouldn’t that be getting rid of that error? Honestly have been searching for hours and haven’t found a solution… I am sure I am probably doing something dumb.

I’m not sure why you would think there is a need to open CORS but most servers that are not open to CORS will fail your request right out of the gate.

Okay. I just had a gross misunderstanding of how this works, but I figured that out. I successively get the code, but now when I issue the token request, I get a 403 cors origin denied error… Honestly very very new to all of this, so they only thing I could guess what that means is that the infusionsoft api server doesn’t trust my origin domain? Sorry for the naiveness!

If you request CORS it will get denied. Completely remove that header entry.

This is currently my only header that I am supplying

        'Content-Type': 'application/x-www-form-urlencoded'

If I take that away, I still get the 403. Should I be supplying different/no headers?

So which implementation are you using? iSDK, API or REST?

Not sure what the difference between API and REST is (REST is a type of API I thought?) but I am using REST. Angular 2(v. 4.1.1) is my framework.

REST is managed by sending information to an endpoint and the API requires communication through objects provided in the api support files. So then, what method are you using to post out with?

Are you meaning As in what method in Angular am I using?

I mean that what you’re doing isn’t generally done directly from js but rather ajax’ed to a script (php) that handles the request and sends back the results. I’m not certain js is even allowed to directly make that call to that endpoint.

So I guess I will kind of explain what I am trying to accomplish

Basically I am creating a VERY simply webapp. The user enters in an email, and the program displays if it exists in both Infusionsoft, and JIRA. I have no expierence with php, but if I am understanding it right, if I were creating a pure mobile app, I would have to also create a webserver that is hosted that talks as a middle man, correct? Or can the php script reside on the client as well and talk as the middle man there? I’m not opposed to creating a server to handle it, but if I can avoid it that would be nice.

You would need a server to run hosted services yes. But you would need that anyway to keep the access token refreshed and the new generated ones accessible to the mobile app. In Jquey to post to request campaign information, this would be an example of what to do (with private information replaced):

var settings = { "async": true, "crossDomain": true, "url": "[Your campaign id here]?optional_properties=goals%2Csequences&access_token=[Your access token here]", "method": "GET", "headers": { "cache-control": "no-cache" } }

$.ajax(settings).done(function (response) {

Just as an update:

Got it to work in postman. The issue is the origin in the program. This is fully possible in typescript as the jquery you gave me is used extensively in Angular 1, and seeing as how it works in postman then it will definitely work in typescript.

The 403 CORS origin error is due to my local server not being whitelisted… is there anyway that you know how to get that whitelisted? I have verified this in postman(in postman you have the ability to change the origin) if I change the origin to I get a successful response. If I change it to my local server, it fails.

I know I would have to create a server anyway, but the server I am creating would be very minimal(mainly just for storage.) The application I am developing is technically only for two people, and we are not talking about gobs of information being handled client side.

The code I posted above came from postman. Are you calling from http or https? There are TLS requirements to consider as well.

I was originally calling from http, but thought maybe infusionsoft would only send a valid response to HTTPS so I created a self signed cert for development, and told my browser to trust it. I feel like having an official cert for development should not be required… So as of right now I am using https with a self signed cert.