REST API Without manual authorization

I was about to implement a simple integration between our web app and Keap in order to simply create a contact or apply a tag.
All I could find about authorization is that Keap requires the token to be refreshed every 24 hours (or slightly less than that) using a cron job.

Is this still the state of the art and how you think we are supposed to handle authorization?
Am I missing something?

Sorry but I’m in disbelief that using a cron job is how this was designed and considered a reliable.

Do you think the XML-RPC would be an alternative?
This whole thing makes me want switch to another service since we are just starting using Keap.

Thanks in advance

I believe you are misunderstanding the Refresh Token grant; once you obtain authorization you get both a Refresh Token and an Access Token back. The Access Token expires 24 hours after issue, but the Refresh Token expires after 45 days. You make calls with the Access Token until it expires, then use the Refresh Token to obtain a new Refresh Token and Access Token, update your stored versions to the new ones and keep going.

So long as you use the Refresh Token within 45 days consistently you do not need a cron. Many people use one that calls and stores the Refresh Token every 30 days or so just as a safeguard in case a service goes unused for a while to prevent the token from aging out, but that’s generally just a precaution.

The OAuth2 Authorization method and Refresh Token grant is an industry standard for rotating-key security.

We provide additional documentation here regarding implementation:

Thanks for the quick answer Tom.
I understand the process. I have 15 years of experience in the security industry.

The point is this application is single client (server to server) so it forcing the token refresh is unnecessary although by standard.
A MITM obtaining the token is successful regardless of the app refreshing it every 24 hours.
And if the server is compromised, well, refreshing doesn’t give any protection either.

The refresh only makes sense if it’s another client authorizing the access to their own data for a limited period of time which is what OAuth tries to accomplish here.

I don’t want to sound harsh or anything. It’s just that nowadays the time required to integrate your app with a 3rd party service like CRM/Marketing platform is a big factor in the 3rd party service selection process.
I am falling back to your obsolete but easier to implement XMLRPC.

I know you are doing your best. Please feel free to pass this feedback to your technical lead.

I am literally cancelling a subscription we just started because this oAuth flow ins convoluted. WE have this same need, I just want to send data from my app to our instance on Keap.

This morning we have released the Public Access Token and Security Account Keys feature to all applications. This is an additional way to manage Auth into the Rest APIs without having to utilize OAuth.

Additional information is available here
Postman collection is available here
Documentation around currently available v2 endpoints can be found here.

Please let me know if there are any additional questions around this new auth feature or endpoints.

Tangential question: Is it fine or wrong (in some way) for me to use these keys to create my own custom contact form on my website? I want to be able to closely customize the design of my form and link it to Facebook Pixel straightforwardly, neither of which seems to be possible with the basic Keap features, so I figured I’d try using the API (I’m relatively familiar with PHP/Javascript but have done very little with APIs) to submit all the same contact information from a custom form, and I eventually ended up in this thread while trying to understand how to do that (ideally while using the REST API but not having to deal with the complex-sounding OAuth token-juggling process that I still haven’t made sense of).

I messed with postman (which you mentioned) and found that it seems pretty straightforward to use these keys to get or submit information, so I THINK I have a decent idea of how to proceed from here, but I wanted to check and see if I’m going in the wrong direction in some way. I guess because it seems odd to me that it was only 8 days ago that the ability to do this kind of thing relatively straightforwardly was added.

Of course I would make sure that the key remains server-side and is never sent to the browser.

Further tangent question (maybe this should be a separate thread…): Is it possible through the API to trigger any “when any form is submitted” automations? I see that there’s a default automation in my Keap app for sending emails to our company and to the person who submitted the contact form, and I’d like to trigger that with my custom contact form but I suspect that it won’t automatically trigger just because an API call added a new contact.

I’m thinking I could also create a different automation that sends emails when a certain tag is added to a contact, and I could apply that contact to a user (using the API) when they submit the form, but it’d be nice if there was a way through the API to just trigger any automations that are listening for “any contact form submission”.

Creating a customized form and using the PAT to submit data via the API is 100% just fine.

Regarding your tangent question, we do not have exactly what you are looking for, but we do have the ability to run a set of configured actions on ANY contact that is added or updated via the API. Again, this is 100% of all contacts though. So if you use the API anywhere else it would run the same actions on those contacts. To find this feature in Keap Classic, navigate to your Admin Settings page, click Application on the left menu, and scroll to the bottom of the page. There, you will find the two action sets “Incoming Action Set: (Add)” and “Incoming Action Set: (Update)”

1 Like