List all authorized apps?

Hi InfusionSoft Friends,

I just created an app and used the client_id to authorize against an IS instance.
How do I see a list of all authorized apps for an IS instance and their permissions?
Additionally, from the app POV, how do I see a list of all the IS instances that the app is authorized with?

Thank you

Don’t know of a way that you can. If you have more than one app authorized through your dev account then it would be far more advisable to manage this in a database since you would have to manage refreshing tokens anyway.

Hey John so if we want to unauthorize previously authorized app there is no way to do that?

I’ll have to check. But I don’t think there is an “unauthorized” since the access key is only 24 hours good, just letting it expire amounts to the same thing because the user would have to give permission in order to re authorize.

I’m not clear on what you are asking here; when a user authorizes a partner app against an Infusionsoft Application, the app is sent an Access Token and Refresh Token in the redirect response and is expected to persist them. Those tokens allow a connection to the Infusionsoft Application that they were generated for, they are not a general-purpose user identifier.

Your flow should look something like this:

  1. User creates an account on your app.
  2. User clicks a button that redirects to Infusionsoft.
  3. User chooses the Infusionsoft Application they would like to link.
  4. User is redirected back to your app with the tokens.
  5. You persist those tokens alongside your local user account.
  6. You use that token to get information about the Infusionsoft Application in question.

The list of Infusionsoft Applications that the user has authorized would be the list of tokens that you have persisted for that user.

Hey @TomScott I guess I am looking for something similar like Facebook and Google are doing with the authorized apps on your account. Example would be this

and this where you can unauthorize manually from the UI.

Now @John_Borelli I am a bit confused with the “re-authorize after 24 hours” comment. My understanding is that you’d authorize (give an app permissions) only once using the redirect or the pop-up, and after that point you’d only refresh the access token moving forward with the methods of a SDK using the refresh token every 24 hours.

Would that be a correct assumption or is the re-authorization with the UI redirect and the drop-down required all the time?

The intent for the app I’m registering is to be used by AWS Lambda function that won’t be able to handle UI redirects, just programmatic token refresh.

That’s correct, refresh. Re-authorizing would be if the token was allowed to expire and with refreshing you do not need human intervention any longer. But since the question was about de-authorizing maybe the wording got crossed. Still, let it run it’s course without refreshing and you no longer have a valid token.

We do actually have a similar interface that displays the list of authorized applications, although I don’t have any on my personal account to illustrate. It is located in Account Central on the detail modal for a given Infusionsoft Application under the Connected Apps header.

However, this is not something we expose via the API, and we generally do not have granular scopes on authorizations.

For Refresh Tokens, if you rotate as a cron job every six hours or so, you will always have a recent Token with a wide margin for maintaining the authentication.


@TomScott yes that is exactly what I was looking for, thank you :slight_smile: It would be cool if there is a similar view from the custom app’s perspective in the dev portal to see which IS instances are connected, but this does the trick for now.

One last question (kinda related). If I understand correctly, you are saying that if the access token is left to expire, re-authorization will be needed so in order to not let that happen a cron would be needed to keep the access token always fresh?

I’m sorry, I just checked with our auth developer @bradb and I got the times wrong:

Access Tokens are now a 24 hour expiration, Refresh Tokens are set to expire after six months. The rotation would still be required via cron or triggered by a user login or somesuch, but not frequently.


Thank you @TomScott and @John_Borelli for your answers.

I just also stumble upon this Making OAuth Requests Without User Authorization - Keap Developer Portal talking about the keeping the access token fresh.

So there is no way to get the list of infusionsoft authorized applications?

Not via an exposed API, no.

1 Like

Hi Tom,

I was wondering seeing if you could kindly help with my question perhaps? Thank you!

Good evening @Federica_Zampieron!

If you have a question, feel free to post a new thread with the details, and we’ll do what we can to help. :slight_smile: